Re: Bullshit Alert
We use exchange online for processing UK medical insurance claims, all traffic to the cloud goes through a gateway server in-house that does pass through encryption, so all the records stored in the cloud are encrypted with their own individual AES 256 key which never leaves our physical control.
The obvious downsides are we still need a small server room so can't go full crazy cloud and we are responsible for backing up the keys securely.
The legal beagles have gone through this setup with a fine-toothed comb and barring some new case law popping up they think its good for the foreseeable future.