Contact Us

HIPAA Compliance and Cloud Computing is a Great Match

Editor’s note: Gathering Clouds is pleased to welcome noted thought leader, SVP of Cloud Technology Partners, and Cloud Player David Linthicum as a regular contributor. David is a renown expert in all things cloud computing, SOA,  Health IT, SaaS, Big Data, and many more IT related topics. Check back every week for more from David! 

Those charged with HIPAA security and compliance within healthcare organizations are quick to say “No” to cloud computing.  Why?  Clouds are not under their direct control, clouds are not typically up-to-date on existing and emerging healthcare regulations, and, most importantly, clouds are new and unproven.  However, healthcare could be missing a huge opportunity.

There is a clear need to rethink the role of cloud computing by those charged with HIPAA security and policy.  The trick is to understand the existing requirements, and then understand how the emerging use of cloud computing could provide compliant and secure HIPAA solutions.  In many cases, leveraging cloud computing will improve upon the best practices and technology that exist today.

One of the things that those looking at cloud computing and HIPAA find most frustrating is dealing with myths versus reality when it comes to HIPAA Security and cloud adoption.  The “addressable” requirements of the security rules tend to be the most difficult to meet.  Thus, these addressable requirements have a tendency to fall off of the radar, and therefore could create issues with compliance.

HIPAA Security has three overall sections:  Administrative, physical, and technical. Each section outlines things that should be done to remain compliant through the “implementation specification.”  An example is the “technical safeguard” section that defines the standard for “transmission security,” and outlines how data should be protected through encryption.

So, what about cloud computing and HIPAA?  First you need to realize that the cloud provider is an active participant, and thus must also adhere to security requirements, such as employee screening and physical access requirements.  Our host, LogicWorks, is a good example of a cloud-based active participant, but you could have many.

Thus, you need a cloud computing provider that understands HIPAA, but most importantly, understands how to be compliant.  This means they should become a trusted agent and owner of your data, and meet all of the security requirements, including encryption, integrity controls, transmission protections, monitoring, management, and physical security.  They will need to pass the same audits, and should meet or exceed your expectations and requirements.

Keep in mind that cloud computing is not for all who have to deal with HIPAA security.  In some instances, it’s not cost effective when considering the internal processing risks, cost of migration, or ongoing operational costs.  You have to do your homework before making the jump.

However, in the vast majority of cases, cloud computing and HIPAA security are a good mix, assuming you partner with a cloud computing provider that knows what they are doing around HIPAA Security.  To get comfortable with a provider, you need to ask the right questions and review their existing documentation.

In reality, this is the right move for most who have to deal with HIPAA compliance.  You outsource the process of dealing with HIPAA security to those who are best equipped and funded to deal with it.  Through economies of scale, a cloud computing provider that specializes in HIPAA compliance should both save you money as well as make your life easier.

By David Linthicum

Posted on July 2, 2013 in Cloud Compliance, Cloud Perspectives

Share the Story

About the Author

Responses (5)

  1. […] Share this:EmailTwitterFacebookLinkedInLike this:Like Loading… This entry was posted in News and tagged cloud, hippa. Bookmark the permalink. ← How Facebook threatens HP, Cisco, and more with its “vanity free” servers | Ars Tech nica Microsoft previews Windows Server 2012 R2 Essentials with cloud and virtualisation enhancements → […]

  2. […] selected cloud provider must also adhere to security requirements, just as we did with other remote HIPAA cloud computing solutions.  This means that those who have access to the cloud data center have to undergo […]

  3. […] The reality is that, if proper planning occurs and the right security mechanisms are leveraged, you’ll likely have better security around your patient data when it’s leveraged within a cloud-based patient portal vs. the traditional methods of process you now employ.  You also need to look into more advanced security models, such as identity-based security.  In addition, this is a good time to do an internal audit around compliance with any relevant laws and regulations. (See HIPAA cloud computing) […]

  4. Idiocracy
    November 25, 2013 at 10:48 pm ·

    Are you smoking crack?

  5. […] the use of cloud computing.  However, not much audit data has come back from these new or existing HIPAA  cloud computing […]

Leave a reply

Back to Top