HIPAA, short for Health Insurance Portability and Accountability Act, is a US law designed to provide standards meant to protect patient records and privacy. If your company is in the medical field or manages patient data then HIPAA is a required standard for you to follow.
Depending on the type of information your organization receives, generates, or stores, the law may be binding. To avoid breaking the law, your organization must follow its provisions for regulatory compliance. Therefore, understanding HIPAA requirements can help your business avoid legal pitfalls.
Disclaimer: The contents of this article are purely to inform the reader. Moreover, Daxima is not a legal firm and does not provide legal advice. For legal advice concerning several aspects of HIPAA, please consult an attorney.
What does HIPAA Compliance Mean and who needs it?
HIPAA is a law created by the United States’ government in 1966 that provides provisions to protect patients’ medical information.
According to the California Department of Healthcare Services (DHCA), provisions from HIPAA serve the following purposes:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information
What kind of Information does HIPAA Protect?
HIPAA mandates healthcare providers, organizations, and relevant business associates to design and follow procedures to safeguard protected health information (PHI). Under U.S. law, PHI is any piece of information relating to the health status, healthcare provision, or payment for healthcare. PHI generated from patients during healthcare procedures may be transmitted or stored manually or electronically. This is especially important to any software product that stores and transmits patient information.
How to find out if your organization is HIPAA eligible
Since HIPAA protects medical information, it covers every organization or startup in the healthcare field. Therefore, the law is relevant to even engineering companies that build digital healthcare technologies.
Is it better to host your apps in your environment or use one of the cloud providers?
Today, more businesses are porting their applications from legacy applications to cloud-based systems than ever before. There are several benefits to storing information on the cloud rather than locally. Some of these include:
Flexible pricing
Popular cloud-based providers such as AWS offers services on a pay-as-you-go basis. Businesses will only pay for the amount of storage or computing capacity they require for their operations. The flexible pricing allows businesses to enjoy variable costs that scale with their size and capacity.
Enhanced Productivity
Hosting applications in the cloud allows organizations to free up time by simplifying complex data warehousing while increasing data accessibility. Cloud-based service providers like AWS, Azure, and Google Cloud allows organizations to by-pass extensive development, testing, and deployment common with legacy systems.
Enhanced Data Security
Cloud service providers ensure a high level of integrity and confidentiality for users’ information. Data centers and services of popular providers utilize several layers of security to mitigate all types of threats. For instance, AWS will, for a fee, continuously monitor an organization’s APIs for security and configuration vulnerabilities. The enhanced security saves organizations the cost of setting up and maintaining a data hardware infrastructure to scan applications and services.
Agile Data Management
Cloud-based data management warehousing allows users to store vast amounts of data and access them in real-time. With only a device and internet connection, organizations can quickly access all the information they need for key business decisions. Moreover, the inventory process for user data is accurate, easing the process of generating actionable business intelligence.
Scalability
Organizations also enjoy greater scalability hosting their applications in the cloud than on legacy systems. Scalability in cloud computing means being able to manage increasing or diminishing business operations in an agile way. It is particularly essential to organizations with a global clientele or rapidly expanding or diminishing operations. Amazon’s AWS and Microsoft’s Azure has a presence in 16 and 30 countries respectively.
Are Popular cloud providers HIPAA compliant?
If your organization provides or utilizes digital health solutions, it’s essential to know if your cloud-based services are HIPAA-compliant. The popular cloud services providers we will discuss are AWS, Azure, and Google Cloud.
Amazon Web Services: Is it HIPAA Compliant?
Amazon Web Services (AWS) is a popular cloud services platform which is a subsidiary of Amazon. Introduced in 2006, it was one of the first companies to introduce the pay-as-you-go model for on-demand cloud computing.
As of 2019, AWS is the most comprehensive and widely-adopted cloud platform in the world. AWS is useful for the following purposes:
- Running cloud-based and serverless web and application servers
- Sending bulk emails
- Storing information in databases such as Oracle, SQL, MySQL, and PostgreSQL
- Running a content delivery network (CDN)
- Storing files securely to the cloud
- Auto scaling applications
According to HipaaJournal, AWS fulfills all the requirements to satisfy the HIPAA Security Rule. However, it states it is easy to make configuration mistakes that could expose Private Health Information to cyber threats.
Moreover, Amazon will typically sign an agreement for HIPAA compliance with its business associates. Typically, these are organizations that utilize its technology to provide services in the healthcare sector. HIPAA’s Security Rule protects the confidentiality of patients’ health information that is generated, received, used, or stored by a HIPAA eligible entity via established national standards. The Security Rule mandates these entities to undertake appropriate technical, physical, and administrative measures to ensure the security, integrity, and confidentiality of the digital health information.
How does AWS meet HIPAA requirements?
To assist healthcare organizations using AWS to meet HIPAA requirements, Amazon published a 26-page guide in 2017. The guide covers everything from encryption and protection of PHI to auditing, backups, and data recovery. AWS Simple Storage Service (S3) provides data sharing, storage, and analysis. Also, it allows for easy accessibility of warehoused data with a suitable device. AWS S3 uses multiple layers of data encryption to secure information on the cloud. However, a security breach can occur when organizations fail to configure data accessibility on AWS using the correct permission settings. Therefore, HIPAA compliance is achievable using the proper configurations to protect users’ data.
Is Azure HIPAA Compliant?
Like AWS, Microsoft Azure is a cloud computing platform that provides data storage, analytics, networking capabilities and more. Azure also allows organizations to host, develop, and manage mobile and web apps on the cloud. Moreover, the pricing for Azure services is flexible and businesses can scale them up or down as needed.
Azure’s solutions for business include:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
According to HipaaJournal, organizations can use Microsoft Azure in a HIPAA compliant way. To comply with provisions of HIPAA, Microsoft will usually enter into a Business Associate Agreement (BAA) with the respective healthcare organizations.
How does Azure Meet HIPAA requirements?
To protect the integrity and confidentiality of PHI, Microsoft provides a number of security tools to help protect your data. These methods include database encryption, detailed access logs and access controls. Also, Microsoft manages data accessibility via configurable permissions and multi-factor authentication. For effective auditing, Azure allows administrators to view all instances of authorized persons accessing PHI.
Is Google Cloud HIPAA Compliant?
The Google Cloud Platform (GCP) is a suite of cloud-based services owned by Google. GCP provides a host of services for storage, data analytics, computing, and development of applications hosted on its cloud. Also, it has one of the most robust collections of online tools of any cloud-based platform. Like AWS and Azure, GCP pricing is ‘pay-as-you-go’ with no upfront costs or subscription termination fees. Therefore, businesses can enjoy costs that scale with their size and operations.
According to Paubox, GCP supports HIPAA compliance within the scope of a BAA. However, businesses still have a responsibility to ensure that they use GCP services in a HIPAA compliant way. Moreover, Google has published a guide to HIPAA compliance on GCP to assist customers.
How does Google Cloud Meet HIPAA requirements?
The BAA is the key component for meeting HIPAA compliance while using the Google Cloud Platform. Since Google enters this agreement with healthcare organizations, it can be termed a HIPAA compliant cloud services provider. However, a BAA only covers compliance for the general platform. HIPAA compliance for G-suite, an integrated suite of productivity apps from Google is a separate area. One reason for this is that G-suite Email only offers full encryption for data at rest within G-suite. Furthermore, Google uses automated processing for Gmail, which violates HIPAA regulations.
All in all, organizations can use the Google Cloud Platform and remain HIPAA compliant. However, they would need to enter a BAA with Google, use third-party services to secure their emails, and use a paid version of G-suite to remove ads which can compromise data security.
In Conclusion
This article has attempted to give you a good understanding of what HIPAA compliance entails. HIPAA is an essential regulation covering every organization or startup in the digital health field. Noting its provisions, you can fairly easily find out if your organization is eligible and avoid violating its rules. Also, this piece looks at how businesses that use popular cloud services can ensure HIPAA compliance. AWS, Azure, and Google Cloud all support HIPAA requirements, although no cloud-based service can be truly HIPAA compliant. Nonetheless, users can still use these technologies in a HIPAA-compliant way using the proper configuration.