HIPAA Compliant Cloud Hosting: What does it mean?

The adoption of telemedicine has seen a huge increase recently. Until 2019, it was a way to provide medical services to people in remote areas and to get consultations by unique experts. The COVID-19 pandemic changed the ways of the world dramatically, healthcare being one of the most affected industries. Today, telemedicine is becoming the new normal as it allows people to get medical advice while maintaining isolation or social distancing.

The market situation confirms this trend, too. If the global telemedicine market size was about $50 billion in 2019, it is forecast to reach almost $280 billion in 2025. The use of telehealth services increased 38 times as compared to the period before the COVID-19 pandemic.

The conclusion that we can draw out of these facts is that the providers are ready and willing to offer an increasing volume of telemedicine services and that the population is ready and willing to consume them. This brings a challenge to telehealth providers of setting up a service infrastructure that is efficient, scalable, secure, maintainable, and affordable all at the same time.

The place where all these conditions can be met is cloud hosting. Cloud-hosted environments provide high availability and performance. They can be scaled up or down as necessary and their maintenance is left to the service provider who is also responsible for taking necessary security measures. And last but not the least, cloud hosting offers competitive pricing to customers making it an affordable option.

However, for healthcare businesses, there is one more thing to take care of – HIPAA compliance. According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, any entity having access to Protected Health Information (PHI) must comply with its rules, and that includes cloud service providers, too.

The good news is that nowadays cloud services recognize these requirements and take measures to meet HIPAA security standards and provide secure service to healthcare providers and their customers.

What is a HIPAA-compliant cloud service?

There are many cloud services on the market, and most of them ensure HIPAA compliance. Still, here’s a short checklist that we recommend you use when choosing the cloud vendor for your healthcare application.

Business Associate Agreement

HIPAA requires that the cloud service provider must sign a Business Associate Agreement (BAA) with the healthcare organization, which is referred to as a covered entity. The BAA establishes a number of responsibilities for the cloud service, such as the permitted uses and disclosures of PHI and implementation of appropriate security measures as prescribed by the HIPAA Security Rule.

Usually, in addition to the BAA, the service vendor and the cloud provider enter into a Service Level Agreement (SLA), which is intended to address issues that lie within the scope of HIPAA application:

• System availability.
• Security duty and responsibilities.
• Backup, redundancy, and data recovery.
• Information disclosure rules.
• Data disposal after service termination.

Whenever a healthcare provider and a cloud service vendor enter into an SLA, they must make sure its conditions are compliant with HIPAA rules and do not prevent from following them.

Security measures

Any cloud service provider that claims HIPAA compliance has to implement a number of security measures and technical safeguards to shield Protected Health Information as required by the HIPAA Security Rule:

• Firewalls and antivirus tools preventing outside attacks
• Connection to the cloud infrastructure over an encrypted VPN
• Data encryption at rest
• Authentication and authorization management ensuring proper user access monitoring and control, such as multi-factor authentication
• Comprehensive and detailed system logs and audit trails
• Sufficient capacities for data backup and recovery
• High system availability achieved with redundant resources
• Physical safeguards ensuring protection and security of data centers

At the same time, security controls, physical and administrative safeguards implemented in the cloud hosting do not exclude the implementation of equally strong security measures on the healthcare provider’s side.

HIPAA compliance even for data transmission

Even if you use the cloud to host your email client and do not store any sensitive data in it, the cloud provider still needs to ensure HIPAA compliance. HIPAA rules, indeed, grant the so-called “conduit exception” for cases of transient access to Protected Health Information. A cloud service, on the other hand, has broader access to it, even if it acts as a transmission service.

In such cases, the cloud service provider is a business associate within the HIPAA scope and must comply with its regulations as such. And the recommendation to healthcare providers is to check HIPAA compliance even if you are choosing a cloud to transmit data only.

HIPAA compliance of third-party services

Cloud providers offer multiple third-party services to enable their clients to create various applications. If you are looking for a HIPAA-compliant cloud, verifying the cloud provider’s compliance is not enough. If you are planning to use any additional services that can be accessed via the cloud, they constitute a ‘covered entity’ and therefore you need to make sure they are compliant, too.

Most cloud service providers usually publish information on third-party service compliance on their official resources. This way, you can always look up the most recent data on the service that you are considering for use and confirm that it will not jeopardize the HIPAA compliance of your entire healthcare business.

HIPAA compliance is a joint effort

Finding a suitable cloud service provider and verifying that all their services are HIPAA compliant does not mean that you can tick HIPAA compliance off your checklist. You can be sure that all components of your app are secure and compliant only when both your software solution and the cloud infrastructure have implemented the necessary compliance measures.

And there is no such thing as HIPAA certification. Of course, cloud service providers make sure to pass the required certifications, such as ISO 27017, but there is no authority that can certify that a particular cloud service provider is HIPAA compliant. You have to check the HIPAA requirements to cloud services before entering into an agreement and ensure strong security features on your end.

Which cloud service providers are HIPAA compliant?

The leading cloud service vendors have taken significant efforts to ensure HIPAA compliance. For example, Google Cloud Platform, AWS cloud, and Microsoft Azure satisfy the requirements of a HIPAA compliant cloud, which means that you can safely use their resources to run a healthcare application. However, check the particular services you are going to include to make sure they meet these requirements, too.

For particularly secure implementations, you can launch a healthcare service in a private cloud. It may be costlier than using a public cloud provider, because you will need to maintain your own hardware and software, but you can be sure about the level of security measures that you take to achieve HIPAA compliance.

How QuickBlox can Help

To make sure that your healthcare app is fully secure and capable of safeguarding the Protected Health Information of your patients, you can use well-tested components that integrate seamlessly into a complete system of doctor-patient communication. Check out QuickBlox healthcare solutions that were designed with HIPAA compliance in mind. In developing its communication APIs and SDKs, QuickBlox took special effort to provide security mechanisms sufficient to satisfy the compliance requirements to services managing Protected Health Information. QuickBlox offers several HIPAA compliant hosting options. We can run in public or private clouds, in a hybrid structure of your choice or even in QuickBlox’s dedicated cloud.

Contact us for more information.