We're considering moving our FR from on-premises to cloud, which clearly has many advantages. However, our apps contain confidential patient and employee information that we're concerned about shipping off site. How have other folks dealt with or thought about this?

We've had to stay on-premise for this exact reason. Last we talked to FR (which was probably a year ago) there wasn't really an acceptable way to capture the information necessary to debug request and still be sure PHI wasn't exposed.

Mmm, unfortunate. I think there are ways to filter what gets sent, but as you say, without it, you lose a lot of context you'd want for debugging and analysis.

That was the issue. We could limit what we send to them, but that was going to really handcuff debugging errors because if we couldn't see the contents of a request, then finding the root cause becomes impossible in many situations.

Yeah. Plus I didn't get into all the detail of the pre-transport filtering, but it seemed like actually removing all PHI from every bit of shipped info was nontrivial, and would be something you have to chase constantly as you build new stuff. It has no way of inherently knowing what's PHI and what's not, so you have to tag/flag/wrap/remove it all yourself.

Massive security risk. Your "cloud" data is only as secure as the data center it is in. If it contains data you do not want to "get out" then do not put it in the cloud.

While I am sure that most countries have their own version, anyway... If you're app / app's users / data are not in the US, Then using a cloud service that is US-based, exposes you to the "Patriot Act" And (if you are US-based or your app users are : how do you manage your HIPPA responsibilities) if patient data is exposed to another service?