HIPAA Compliant Hosting is a hot topic nowadays with the Omnibus deadline fast approaching. We wanted to step back and take a look at the key differences between 2 different HIPAA solutions– the [cheaper] HIPAA Cloud Storage and HIPAA Compliant Hosting. As you will see they are quite different and different needs.
HIPAA Cloud Storage– is just a container in the cloud that holds your storage, you can access it anywhere in the world; it doesn’t sit on your location- it sits in a data center of your hosting provider. It’s essentially a file cabinet, you can access it anytime you want and pull down a file. You can have your own servers sitting in your office or data center back up to Connectria’s HIPAA Cloud Storage. This includes live files, archived files, something from a clearing house…anything you want, although it is not recommended for your database.
It is imperative however that you use good practices when shipping your PHI to your HIPAA Cloud Storage Provider. As the HIPAA Standards state, you must encrypt your data, both in transit and at rest. This means that any product you use to transfer your data must support HTTPS connections from your site to the Cloud Storage and it must support storing the data in an encrypted state on the cloud storage disk.
HIPAA Compliant Hosting– A server based solution. This is required when you don’t want to have any of the hardware or data locally. Your web server, application server and database server are all located in the data center(s) of a HIPAA Compliant Hosting provider like Connectria. Your data is accessed through the cloud from anywhere you have an internet connection. For example: If you have an application server that manages your Patient Health Records and those records are stored in a file system or database that is accessed by client machines in your office, then you require this set up. This is more of a complete solution stack that goes far beyond simply accessing files. A HIPAA Compliant Hosting Solution would include a Firewall, Web or Application Server and a Database server as a minimum. Your environment may also require a file server, communication appliance, or another device that would help process the workflow that allows you to manage the secure use and storage of the patient data.
Are All HIPAA Compliant Storage Providers Really HIPAA Compliant?
While we are on the subject, there are many companies out there providing cloud storage, such as Dropbox or Google Drive. But are they HIPAA Compliant? The cold hard answer is NO. When it comes to cloud storage, you have to have a BAA with your hosting provider. There must an understanding between the vendor and the customer to determine liability. An automatic online signup process just doesn’t cut it (More info on how you should structure your BAA). The data must also be encrypted in transit and at rest. Look for these basic components as you are considering different HIPAA Cloud Storage providers.
If you have any questions on this post please post a comment below or send me a note at firstname.lastname@example.org.