Share this article on:
Alibaba is now the third largest public cloud provider behind Amazon Web Services and Microsoft Azure and is currently experiencing growth in excess of its competitors. While Alibaba is vying to become the leading public cloud provider worldwide, the company has yet to make great inroads into healthcare in the United States. Healthcare organizations in the United States must ensure that any public cloud provider is HIPAA compliant before their services can be used in connection with protected health information, so how does Alibaba Cloud stack up? Is Alibaba Cloud HIPAA compliant?
Public cloud providers are classed as business associates under HIPAA, so before their products and services can be used in connection with protected health information it is necessary for a HIPAA-covered entity or business associate to enter into a business associate agreement with the company.
The business associate agreement serves as a contract between the covered entity and the cloud service provider and confirms that the cloud service provider is aware of its responsibilities under HIPAA and provides assurances to the covered entity that its products or services support HIPAA compliance.
Alibaba does offer a business associate agreement to HIPAA-covered entities and healthcare vendors for Alibaba Cloud and the company has cloud data centers in the United States in Virginia and Silicon Valley, CA.
The company is keen to attract healthcare clients but is aware that many may be concerned about security and HIPAA compliance. Alibaba produced a HIPAA compliance white paper in October 2019 covering its products and services detailing the safeguards that have been implemented, which have been mapped to safeguards required by the HIPAA Security Rule. You can view the white paper here.
As with all public cloud providers, Alibaba provides a platform and services that can be used in a HIPAA-compliant manner, but it is the responsibility of each HIPAA-covered entity to ensure that the products and services are used in a HIPAA compliant manner, are configured correctly, and policies and procedures are developed covering the use of those products and services and full training is provided to employees.