If you’re concerned about the HITECH Business Associates problem for cloud services I’ve written about before here, you might want to have a look at the expanded version which has just been published in the ABA Information Security Committee’s Internet Security and Privacy News, HITECH Regulatory Traps for Healthcare Application Outsourcing and Cloud Services
On a very related note, I’ve had a couple of people ask about outsourcing processing of PHI to overseas operations, sometimes but not necessarily in a cloud context. I’ve dealt with this a few times, and while it’s not per se prohibited it is definitely a strategy to think through carefully before implementing. Here’s a piece I did on it a few years ago; I think the analysis is still valid under HITECH: Offshore Outsourcing of PHI Processing – Is It Permitted under HIPAA?.