Essential Steps to HIPAA Compliant Cloud Hosting

Home / Tech Blog / Essential Steps to HIPAA Compliant Cloud Hosting
Posted on November 22, 2019

Being on the cloud is critical today, and critical for the future.

A future where your network never becomes obsolete, and you never have to buy hardware again… There are no boundaries, and you can access your system from any device, from anywhere in the world, anytime.

Cloud-based environments significantly decrease your costs. Infrastructure hardware and maintenance costs are eliminated while energy usage can be decreased.

Simply put, cloud computing is a better way to run your business.

Secure Cloud Hosting for Healthcare: Does the Perfect One Exist?

HIPAACloudIconsHealthcare organizations looking for secure storage and networking, are increasingly turning to the cloud, which has quickly become a low-cost way to develop the complex infrastructure required to support a variety of critical organizational activities.  

Cloud hosting offers the healthcare industry many benefits, including cost savings, remote file sharing, custom applications, and expanded storage, giving healthcare IT departments and digital health technology vendors the ability to create a robust and secure infrastructure to store, back up and maintain Protected Health Information (PHI).  

When selecting a healthcare cloud provider, an organization needs to perform due diligence to ensure the information they are entrusting to this provider will be secured in accordance with the healthcare data regulations.

 

Why HIPAA Applies to Cloud Storage

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy of sensitive patient information. Covered entities under the law include healthcare plans, health care clearinghouses, and certain types of healthcare providers.

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA requirements to business associates. A business associate is any service provider who has access to the Protected Health Information (PHI) of a covered entity. 

According to security guidelines, anyone who develops platforms or applications for the Healthcare industry and deal with Protected Health Information (PHI)  are required to meet national standards for the physical, administrative, and technical security of health information.

Does your business collect, store, or transmit PHI to a covered entity? Then you definitely should be HIPAA compliant. And probably, your business will require a HIPAA compliant hosting cloud server.

Cloud vendors should provide a reliable and scalable computing platform that can support healthcare customers’ applications in a manner consistent with:

  1. Health Insurance Portability and Accountability Act (HIPAA)
  2. Health Information Technology for Economic and Clinical Health (HITECH)
  3. The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)

Your Vendor’s HIPAA Certification is Not Enough

The fact that a cloud storage provider offers Business Associate Agreement (BAA), specific administrative and security controls and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

This is how Amazon Web Services (AWS) explains it:  “Any AWS service can be used with a healthcare application, but only services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information under HIPAA.

In the AWS Cloud, security is shared between AWS and the customer, meaning that certain elements of security – such as physical security of the underlying infrastructure – are now the responsibility of AWS. Customers are still responsible for other aspects of security, such as the security measures used to protect your applications – which is no different than if your application was running in a traditional data center.”

Ultimately, the covered entity or business associate is the one responsible for making sure all its regulatory mandates are being followed.

HIPAA covered entities, and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. As you look for a compliant healthcare cloud, ask these key questions: 

  1. Have they had an external assessment done by a third party? 
  2. Have they been assessed against the HIPAA Security Rule? 
  3. What assurance can they make in safeguarding your data? 

Is AWS HIPAA Compliant?

HIPPA AWSCloud hosting providers like Amazon Web Services (AWS) enable entities and their business associates, subject to HIPAA. You can use AWS to build applications that store, process, and transmit sensitive health-related information, consistent with your privacy and security obligations under frameworks such as the US Health Insurance Portability and Accountability Act (HIPAA), and the Federal Risk and Authorization Management Program (FedRAMP). 

AWS offers a comprehensive set of features and services to make key management and encryption of PHI easier to manage and simpler to audit, including the AWS Key Management Service. Customers with HIPAA compliance requirements have a great deal of flexibility in how they meet encryption requirements for PHI. 

What’s Covered Under a BAA with AWS?

Under the HIPAA, AWS is considered a business associate. As a business associate, before a healthcare entity can use AWS, they must first secure a business associate agreement (BAA). That is a key component to HIPAA compliance between a covered entity and a business associate. The BAA contract clarifies how your HIPAA obligations will be shared with AWS. 

To be considered HIPAA compliant, AWS must be used properly by all users within an organization. It is so common to make configuration mistakes that will leave PHI unprotected and accessible by unauthorized individuals, violating HIPAA rules. 

Administrators must pay close attention to security, and ensure that they don’t give access to data to users who should not have access.

Customers can use any AWS service in HIPAA-compliant applications. However, only the HIPAA-eligible services defined in AWS’s BAA can be used to process, store, and transmit personally-identifiable patient data. 

So, is AWS 100% HIPAA Compliant? Yes. They are secure by default. Since AWS satisfies all HIPAA requirements, business analysts conclude that they are, in fact, a HIPAA compliant cloud vendor. With a signed business associate agreement (BAA) and proper configuration, AWS is HIPAA compliant. Just don’t forget to sign a BAA with them.

Build Secure and Scalable Cloud Infrastructure

Meeting HIPAA compliance is challenging – and that’s putting it lightly. Whatever your technical requirements, a cloud vendor can advise you on hosting solutions that have all been audited by a qualified independent third party and come with round-the-clock monitoring and support.

DevCom turn HIPAA compliance on public infrastructure providers into a solved problem, and enable secure clinical data exchange between mission-critical digital health applications. 

Having 15+ years of relationships with key Clients in the Healthcare industry, we have excellent expertise and can share experience on how to securely host your healthcare project so you can focus on the business. 

 


We help digital companies like yours to deploy HIPAA Compliant web applications on AWS.

➤Migrate your application to the Cloud.

➤Improve the scalability and security of your infrastructure.

➤Guide your team to adopt AWS DevOps practices.

 

Contact DevCom - custom software development company

 


Written by: Halyna Vilchynska, Marketing Lead at DevCom

Don't miss out our similar posts: