NHS Digital has said that individual care providers can choose to use public cloud services to store patient data.
According to its new guidance, health data can be hosted offshore within the European Economic Area (EEA) or with certain US organisations.
The benefits include reduced costs and more flexible data sharing, according to NHS Digital.
But the digital rights organisation Open Rights Group says allowing offshore data hosting is “dangerous”.
NHS Digital has included a four-step guide to migrating to cloud services, which covers risk assessments and choosing data hosting locations.
The guidance says that implementing data protection is “legally complex”.
A cloud service’s technical and support staff may be based in a different country from where the data is hosted but still have access to patient information.
In the US, only organisations that are part of the Privacy Shield scheme in partnership with the EU can safely host patient data, according to the report.
The Privacy Shield allows individual companies to comply with EU data protection requirements despite not being based in one of the 28 member states.
The European Commission can also approve countries not listed in the guidance for data hosting, according to the guidance.
Jim Killock, executive director of Open Rights Group, said that the Privacy Shield scheme was “highly open to legal challenge”.
“This is a dangerous move that could open up patient data for surveillance purposes, and that could have ramifications for patient health.”
“People might avoid getting care, which would obviously be very bad. Patient confidentiality has to come first.”