HIPAA-Compliant Cloud Hosting

Healthcare organizations have a tremendous amount to gain from moving their applications and infrastructure to the cloud, and an increasing number are turning to HIPAA cloud hosting companies to provide the infrastructure and security to allow patient information to be moved from on-premise applications to the cloud.

HIPAA and Cloud Computing

There has been a proliferation of cloud computing solutions in recent years, which have been widely adopted across all industry sectors. Healthcare organizations were slow to embrace the cloud at first, but now most healthcare companies are running multiple cloud applications and an increasing number are now using cloud-based infrastructure and cloud-data centers. The cloud has allowed healthcare organizations to improve efficiency, become more agile, and reduce costs.

Healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities are permitted to move their data centers and IT infrastructure to the cloud, but before any electronic protected health information (ePHI) is transferred outside the protection of the organization’s firewall, safeguards must be put in place to ensure the confidentiality, integrity, and availability of that information.

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, ePHI must always be safeguarded. If ePHI is passed to a third party or a third-party system comes into contact with ePHI, that third-party must also agree to abide by HIPAA Rules and ensure that its systems are secured, staff are trained, and policies and procedures are put in place covering uses and disclosures of ePHI. The responsibilities of the business associate are documented in a business associate agreement (BAA) which must be obtained prior to using any hosting service in conjunction with ePHI.

Factors to Consider When Choosing a HIPAA Cloud Hosting Provider

Security will be a major concern for healthcare providers looking to host applications that collect, store, process, or interact with ePHI. The choice must be made between a private cloud or a multi-tenant public cloud. There is a popular misconception that the public cloud is not secure and does not support HIPAA compliance; however, HIPAA does not prohibit use of the public cloud provided HIPAA provisions are satisfied.

HIPAA cloud hosting providers typically offer multi-tenant HIPAA cloud hosting in a secure public cloud and a dedicated hosting service where data is stored on a private dedicated server. They are in the best position to advise on which solution will best meet the needs of your organization.

Features of HIPAA Cloud Hosting

All cloud hosting companies offer a secure hosting platform, but not all hosting companies have sufficiently rigorous technical, physical, and administrative safeguards to satisfy the requirements of HIPAA.

  • A HIPAA-compliant cloud hosting platform must have robust, layered security controls to prevent unauthorized data access. A powerful, advanced firewall is a must, along with an intrusion detection system and other technical cybersecurity measures
  • All data stored on the platform must be protected at rest and in transit. Data stored in the cloud environment should be encrypted to NIST standards and an encrypted VPN should be used to protect data in transit to and from the cloud environment
  • Access controls should be robust and include multifactor authentication
  • Robust log management is required to maintain a trail for compliance audits and investigations
  • 100% availability to ensure PHI is always accessible when required
  • Robust data backup and recovery systems
  • Signed business associate agreement which provides satisfactory assurances that the hosting provider is fully compliant with HIPAA Rules