Are SaaS Software Applications and Cloud Servers HIPAA Compliant?
As a provider of patient portal, SaaS software and hosting solutions to the medical industry, we get asked this question a lot. Unfortunately, there’s very little information available on the internet that addresses this specific issue – and what does exist is generally false or a part of a sales pitch by a company trying to market “HIPAA-certified hosting solutions” or other HIPAA-compliant health IT solutions.
Before we can answer this question correctly, we must first understand what HIPAA is and how it relates to software, hosting and other healthcare IT solutions.
The Health Insurance Portability and Accountability Act was enacted in 1996 to address the growing use of technology in healthcare, specifically the transaction of health information between providers, employers and health insurance plans. You don’t need to read the entire 349-page document to understand a few important principals of HIPAA.
Here are a few things you should know about HIPAA.
1. HIPAA makes almost zero reference to technical specifications required for hardware, software, security, etc. Even if it did, it would be completely out of date since its publishing in 1996, and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.
2. You cannot be “HIPAA certified.” HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.
3. You can be audited by a variety of governing bodies for HIPAA compliance. Other certifications do exist that may include some of the rules or best practices found in the HIPAA guidelines. Some of these certifications include:
a) SSAE16 – An auditing standard created primarily for the financial services industry verifying hosting companies’ physical and software security standards. Hosting companies that are audited receive reports demonstrating compliance for SOC 1, SOC 2 or SOC 3.
b) ONC-ATC – A certification for healthcare software companies to certify their software on a variety of security and functional items.
In consideration of the above items, the answer when it comes to considering cloud servers and SaaS applications HIPAA-compliant is that one must consider the use of these technologies as only a part of the big picture on how this is used. If there was a HIPAA certification for SaaS software, it would not guarantee HIPAA compliance as there could be faults in the hosting, the computer being used or the user using the software in a public place un-shielded by the public’s eye.
There is no specific provision in the HIPAA guidelines that opposes the architecture of a cloud server, VPS server or SaaS application (even though by nature these are “shared” architectures). One must, however, consider the HIPAA guidelines that do exist that pertain to encryption, user authentication and other “best practices.”
This article was originally published on the Medical Web Experts blog.