Untangling the Mystery of HIPAA Clouds


Are they real?

Yes, HIPAA clouds are real. Sort of. Saying a cloud or service is HIPAA compliant is a slight misnomer. It would be a huge mouthful to always have to advertise using a long-winded phrase like, “Our capabilities are designed to support HIPAA compliant workloads, but in reality, everything depends upon how you actually use it and whether or not your business controls are satisfactory…we are happy to give you assurances about our processes…”

But before we start exploring that, let’s go over key HIPAA rules influencing cloud services.

What is HIPAA?

The 1996 Health Insurance Portability and Accountability Act (HIPAA) was enacted as public use of the internet grew and the World Wide Web was gaining popularity. At that time, most health records were maintained in paper form and regulations for the proper handling of personal information varied from state to state. Congress understood that automation and digitization would eventually revolutionize the health industry and wrote the regulations based on principles, not technology.

These principles define rules for transfer, sharing and protecting individually identifiable health information known as Private Health Information (PHI). Although HIPAA is comprised of numerous documents, the three primary documents amend and extend HIPAA in significant ways and directly influence cloud operations and architectures.1

The Privacy Rule (2002) established national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers. The Privacy Rule allows covered entities to share information with business associates based on written contracts or agreements that provide assurances that information will be safeguarded and not misused. Business Associates are persons or businesses external to the covered entity which perform services that “create, receive, maintain, or transmit” PHI on their behalf.2

The Security Rule (2003) established national standards for protecting the confidentiality, integrity and availability of electronic protected health information (ePHI). It defines appropriate administrative, physical and technical safeguards needed for compliance.3 For example, covered entities must conduct risk assessments on a regular basis to validate their privacy and security frameworks.

The Health Information Technology for Economic and Clinical Health Act (HITECH 2013) affected HIPAA Privacy, Security, Enforcement, and Breach Notification Rules by strengthening standard PHI and ePHI privacy and security protections, increasing protections for genetic information, adjusting regulations to clarify and harmonize requirements with other related legislation, and establishing penalties for compliance violations. It also states that business associates, and their downstream business associates, are directly liable for compliance.4

Compliance vs. certification

Compliance is the state or fact of according with or meeting rules or standards.”5 There are no guarantees that a covered entity that passed an audit on one occasion will automatically always remain in compliance. On the flipside, if a covered entity passes a HIPAA audit, it validates that their business controls and those of their business associates met the standard at the time they were reviewed.

Professional organizations fill the gap by providing industry recognized HIPAA certifications. Although no US government sanctioned certifications exist, they can play a role in demonstrating to the Health and Human Services Office of Civil Rights that regular assessments of business controls have occurred, the review was conducted impartially, and work is ongoing to improve operations. They provide assurance to covered entities that the cloud provider is committed to the principles outline in the HIPAA rules.

Cloud vendors and related business associates may invest in obtaining cyber security certifications, SOC 2 and ISO 27001. Neither of these certifications is 100% prescriptive nor are they required by HIPAA. However, they also provide reassurance that security practices are well managed.

HIPAA compliant clouds are possible

Clouds capable of handling HIPAA compliant workloads come in all shapes and sizes. At minimum, cloud hosting vendors claiming to be HIPAA compliant must provide a business associate agreement defining products and services that protect PHI and sensitive data. Further assurances, such as industry-recognized HIPAA compliance certificates and SOC2 and ISO20017 security, are desirable.

  1. HIPAA for Professionals | HHS.gov
  2. Business Associates | HHS.gov
  3. The Security Rule | HHS.gov
  4. 2013-01073.pdf (govinfo.gov) Health Information Technology for Economic and Clinical Health Act (HITECH); Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulation
  5. COMPLIANCE English Definition and Meaning | Lexico.com
  6. What is SOC 2 Compliance? A Guide For Your First Audit | strongDM July 2021
  7. ISO – ISO/IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements Abstract October 2013