There are many, many companies today that are moving to “the cloud” for their data storage. Naturally there are legal issues that need to be considered in making such a move. HR in particular needs to be concerned with HR recordkeeping in the cloud.
According to John Pavolotsky, an attorney at Greenberg Traurig, there are four main legal issues companies should be aware of in dealing with the cloud. These include:
- Service levels;
- Termination or suspension of service;
- Warranties and indemnities;
I want to spend time discussing this last issue. Confidentiality is key to HR for a number of reasons, not the least of which is HIPAA.
HIPAA, in addition to having portability sections and privacy guidelines, also specifies that companies must abide by security rules. Basically these rules state that administrative, physical, and technical safeguards be established to ensure the security of such information.
Administrative safeguards are functions implemented to meet the standards, such as appointing a security officer, or providing security training.
Physical safeguards ensure the protection of the physical system and equipment that maintains the information from such events as natural disasters or unauthorized intrusions. Examples of physical safeguards include restricting access to e-PHI, or retaining off-site computer backups.
Technical safeguards ensure protection of the information and its transmittal, such as through encryption, etc.
This means that when you are selecting a cloud service to store HR information you must be specific with them to determine if they are HIPAA compliant.
The following infographic, provide by Paycom provides further information on mitigating the risks associated with electronic storage of records.