{"id":2382,"date":"2013-04-09T00:00:00","date_gmt":"2013-04-09T00:00:00","guid":{"rendered":"http:\/\/otava.test\/precautions-with-the-hipaa-cloud-for-healthcare-software-as-a-service-saas-companies\/"},"modified":"2013-04-09T00:00:00","modified_gmt":"2013-04-09T00:00:00","slug":"precautions-with-the-hipaa-cloud-for-healthcare-software-as-a-service-saas-companies","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/precautions-with-the-hipaa-cloud-for-healthcare-software-as-a-service-saas-companies\/","title":{"rendered":"Precautions with the HIPAA Cloud for Healthcare Software as a Service (SaaS) Companies"},"content":{"rendered":"

A recent Google search brought me to a health IT blog, Life as a Healthcare CIO<\/em>, and the post entitled The Reality of SaaS.<\/em> The author discusses whether or not SaaS\/cloud computing<\/a> is appropriate for EHR (electronic health record) hosting – he reinforces the fact that \u201ccurrent regulatory and compliance mandates require that you find a cloud hosting firm which will indemnify you against privacy breaches caused by security issues in the SaaS hosting facility.\u201d<\/p>\n

While especially true now, he also groups the IaaS (Infrastructure as a Service) in with the SaaS, mentioning a quote from the CIO of the Beth Israel Deaconess Care Organization:<\/p>\n

\u201cWe built, manage & maintain our own private cloud<\/a> in a colocation<\/a> facility…many cloud hosted applications are sensitive to latency, packet loss, fragmentation & jitter.\u201d<\/em><\/p>\n

While the article goes on to describe their issues with ISPs and network connections, the fact remains that many mid-sized healthcare SaaS organizations still struggle with both meeting regulatory requirements and fully maintaining their own IT infrastructure that must support mission critical applications – oftentimes ones that are also critical to patient health and life.<\/p>\n

\"HIPAA
HIPAA Cloud<\/figcaption><\/figure>\n

Some cloud service providers can offer a fully HIPAA compliant cloud<\/a> that is both audited and managed by professionals to relieve the pressure off of healthcare SaaS companies. However, a diligent assessment of the service and provider is required, particularly with the final rule dictating that business associates (cloud providers) are subject to fines if they don\u2019t meet compliance requirements for securing protected health information (PHI).<\/p>\n

An anonymous healthcare security professional commenter remarked on the need for covered entities to do a proper assessment, and not merely take the sales rep\u2019s word when it comes to assessing a cloud provider. He\/she brings up a few good points to evaluate:<\/p>\n