More and more healthcare organizations are turning to HIPAA-compliant cloud hosting companies to help them complete their digital transformations and securely move their IT infrastructure, data, and applications to the cloud. Learn how to deploy a reference architecture for HIPAA in the AWS Cloud and stay HIPAA compliant.
Being on the cloud is critical today and critical for the future of healthcare organizations that are subject to HIPAA. A future where your network never becomes obsolete, and you never have to buy hardware again… There are no boundaries, and you can access your system from any device, from anywhere in the world, anytime.
Cloud-based environments significantly decrease your costs. Infrastructure hardware and maintenance costs are eliminated, while energy usage can be decreased. Simply put, cloud computing is a better way to run your business.
Healthcare IT environments require a level of care that goes above and beyond the norm. Cloud computing is not specifically mentioned in the HIPAA/HITECH texts. Still, it is covered by the HIPAA Privacy and Security Rules, and there are restrictions placed on the use of cloud services in connection with protected health information (PHI) and patient data.
So, what is HIPAA cloud hosting?
SECURE CLOUD HOSTING FOR HEALTHCARE ORGANIZATION: DOES THE PERFECT ONE EXIST?
Healthcare organizations looking for secure HIPAA-compliant cloud hosting and networking are increasingly turning to the cloud, which has quickly become a low-cost way to develop the complex infrastructure required to support a variety of critical organizational activities.
Cloud hosting offers the healthcare industry many benefits, including cost savings, remote file sharing, custom applications, and expanded storage. It gives healthcare IT departments and digital health technology vendors the ability to create a robust and secure HIPAA-compliant infrastructure to store, back up, and maintain Protected Health Information (PHI).
When selecting a healthcare cloud provider, an organization needs to perform due diligence to ensure the information they are entrusting to this provider will be secured in accordance with the healthcare data regulations.
WHY HIPAA APPLIES TO CLOUD STORAGE
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy of sensitive patient information. Covered entities under the law include healthcare plans, healthcare clearinghouses, and certain types of healthcare providers.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA requirements to business associates. A business associate is any service provider who has access to the Protected Health Information (PHI) of a covered entity.
According to security guidelines, anyone who develops platforms or applications for the Healthcare industry and deals with Protected Health Information (PHI) is required to meet national standards for the physical, administrative, and technical security of health information.
Does your business collect, store, or transmit PHI to a covered entity? Then you definitely should be HIPAA compliant. And probably, your business will require a HIPAA-compliant hosting cloud server.
Cloud vendors should provide a reliable and scalable computing platform that can support healthcare customers’ applications in a manner consistent with the following:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH)
- The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)
YOUR CLOUD VENDOR’S HIPAA CERTIFICATION IS NOT ENOUGH
The fact that a cloud storage provider offers Business Associate Agreement (BAA), specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.
This is how Amazon Web Services (AWS) explains it: “Any AWS service can be used with a healthcare application, but only services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information under HIPAA.
In the AWS Cloud, security is shared between AWS and the customer, meaning that certain elements of security – such as physical security of the underlying infrastructure – are now the responsibility of AWS. Customers are still responsible for other aspects of security, such as the security measures used to protect your applications – which is no different than if your application was running in a traditional data center.”
Ultimately, the covered entity or business associate is the one responsible for making sure all its regulatory mandates are being followed.
HIPAA-covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. As you look for a compliant healthcare cloud, ask these key questions:
- Have they had an external assessment done by a third party?
- Have they been assessed against the HIPAA Security Rule?
- What assurance can they make in safeguarding your data?
KEY FEATURES OF HIPAA COMPLIANT CLOUD HOSTING
Below is an eleven-part checklist of the most important features a HIPAA-compliant cloud hosting environment should include:
- ⇒ A robust firewall and intrusion prevention system.
- ⇒ Encrypted VPNs for securely connecting to the cloud to access, upload, or download PHI.
- ⇒ Robust encryption for data at rest.
- ⇒ Strong authentication controls including multifactor authentication.
- ⇒ Event log management to maintain an audit trail.
- ⇒ Reliable data backups, offsite backup storage, and data recovery assistance.
- ⇒ 100% server availability and reliability, ideally with a 100% server uptime SLA.
- ⇒ Data stored in HIPAA-compliant data centers.
- ⇒ SSL certificates.
- ⇒ SSAE 18 certification.
- ⇒ Business associate agreement (BAA).
IS AWS HIPAA COMPLIANT CLOUD HOSTING?
Cloud hosting providers like Amazon Web Services (AWS) enable entities and their business associates, subject to HIPAA. You can use AWS to build applications that store, process, and transmit sensitive health-related information, consistent with your privacy and security obligations under frameworks such as the US Health Insurance Portability and Accountability Act (HIPAA), and the Federal Risk and Authorization Management Program (FedRAMP).
AWS offers a comprehensive set of features and services to make key management and encryption of PHI easier to manage and simpler to audit, including the AWS Key Management Service. Customers with HIPAA compliance requirements have a great deal of flexibility in how they meet encryption requirements for PHI.
WHAT’S COVERED UNDER A BAA WITH AWS HIPAA COMPLIANCE?
Under HIPAA, AWS is considered a business associate. As a business associate, before a healthcare entity can use AWS, it must first secure a business associate agreement (BAA). That is a key component to HIPAA compliance between a covered entity and a business associate. The BAA contract clarifies how your HIPAA obligations will be shared with AWS.
To be considered HIPAA compliant, AWS must be used properly by all users within an organization. It is so common to make configuration mistakes that will leave PHI unprotected and accessible by unauthorized individuals violating HIPAA rules.
Administrators must pay close attention to security and ensure that they don’t give access to data to users who should not have access.
Customers can use any AWS service in HIPAA-compliant applications. However, only the HIPAA-eligible services defined in AWS’s BAA can be used to process, store, and transmit personally-identifiable patient data.
So, is AWS 100% HIPAA Compliant cloud hosting? Yes. They are secure by default. Since AWS satisfies all HIPAA requirements, business analysts conclude that they are, in fact, a HIPAA-compliant cloud vendor. With a signed business associate agreement (BAA) and proper configuration, AWS is HIPAA compliant. Just don’t forget to sign a BAA with them.
BUILD SECURE AND SCALABLE AWS CLOUD HOSTING INFRASTRUCTURE
Meeting HIPAA compliance is challenging – and that’s putting it lightly. Whatever your technical requirements, a cloud vendor can advise you on hosting solutions that have all been audited by a qualified independent third party and come with round-the-clock monitoring and support.
DevCom turns HIPAA compliance on public infrastructure providers into a solved problem. We enable secure clinical data exchange between mission-critical digital health applications.
Having 15+ years of relationships with key Clients in the Healthcare industry, we have an excellent expertise. Our professional DevOps engineers can share experience on how to securely host your healthcare project so you can focus on the business.
We help digital companies like yours deploy HIPAA-compliant web applications on AWS.
➤Migrate your application to the Cloud.
➤Improve the scalability and security of your infrastructure.
➤Guide your team to adopt AWS DevOps practices.
What necessary infrastructure components do you use for building a HIPAA-compliant network?
To create a HIPAA-compliant network, it is necessary to include secure HIPAA-compliant cloud servers, encrypted data storage, and reliable backups to your infrastructure. Altogether it guarantees data privacy and protection.
How do you explain the differences between HIPAA-compliant hosting services and standard managed services?
How do I verify that your company has implemented HIPAA compliance measures?
Do you provide a BAA (Business Associate Agreement) to your clients?
What methods do you use to ensure regulatory compliance with HIPAA?
How do you respond to a security breach in your cloud hosting services?
Does your company have a dedicated HIPAA compliance officer, and what are their responsibilities?
Which hosting providers do not offer HIPAA-compliant services?
Are there any potential penalties for violating HIPAA regulations?
What security features does cloud storage need to be HIPAA-compliant?
What is the purpose of a BAA in relation to HIPAA compliance?
How do HIPAA regulations impact app hosting?
Written by: Liza Hazevytch – Marketing Manager at DevCom.