When word got out that medical researchers were contemplating ways to employ cloud computing, privacy rights watchdog Deborah Peel sounded an alarm. Is Peel right to be worried? Or does this potential storm cloud have a HIPAA-compliant lining?The controversy was touched off when Harvard Medical School, along with Amazon.com and a few other sponsors, held an invitation-only symposium to discuss potential uses of computing in health care and biomedicine. As my colleague Marianne Kolbasuk McGee reports, the forum was exploratory in nature, and speakers acknowledged that thorny questions over data security and patient privacy will have to be addressed.

But there also was optimism over this new way of doing things. "It's like a virtual lab," said Peter Tonellato, senior research scientist at Harvard Medical School's Center for Biomedical Informatics, adding that cloud computing "fits the vision of ubiquitous access to the lab on the Web regardless of location." Tonellato predicted that many research organizations will transition to private/public cloud infrastructures for elasticity and cost-efficiency. In fact, Harvard's Laboratory for Personalized Medicine already is using Amazon Web Services to develop genetic testing models, as described here.

This news, however, didn't sit well with Peel, who is the founder and chair of Patient Privacy Rights, a self-described "guardian" of health privacy rights. "Clouds by their nature do not have patient or consumer control over personal data built in. That makes such systems illegal and unethical," Peel writes in response to our article. She argues in favor of consumer-led certification.

Peel's not alone in sounding a note of caution. Many IT departments are evaluating the privacy, security, and governance issues of public compute clouds, and some will decide it's a route they're not willing to take. (See Bob Evans' related post on InformationWeek's Global CIO blog.)

What's the answer? Clearly, there will be scenarios where those responsible will determine that sensitive health-related data needs to be stored behind the firewall and not in the cloud. However, there will be other situations where health data can be processed and stored in the cloud, and we're beginning to see examples. On its Web site, Amazon offers case studies of HIPAA-compliant applications that have been deployed on AWS. On one example, TC3 Health minimizes the amount of "protected health information" that goes into Amazon's cloud, while encrypting any data that does go there. In another, health records service provider MedCommons has architected its application to include identity management, activity logs, and other protective measures.

Health care is just one industry where the security, privacy, and governance implications of cloud computing have yet to be thoroughly tested or answered. Financial services companies, schools, and public agencies face many of the same issues. As more organizations experiment with and move applications in the cloud, they should be prepared to hear from the likes of Deborah Peel.