Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Compliance Journal Authors: Elizabeth White, Don MacVittie, Fouad Khalil, Jason Bloomberg, Pat Romanski

Related Topics: Cloud Computing, Cloudonomics Journal, Twitter on Ulitzer, Compliance Journal, CIO/CTO Update, Sarbanes Oxley on Ulitzer, Java in the Cloud

Blog Feed Post

Transporting HIPAA Best Practices to the Cloud

How does cloud enable HIPAA best practices to be effectively implemented?

The people assigned to rethink the role of cloud computing by those charged with HIPAA best practices management and security have a daunting task on their hands these days.  There are many decisions that should be made, and not a lot of emerging information and best practices.

However, as more cloud providers hit the market, many are offering HIPAA-compliant cloud services.  At least, that’s what they are selling.  The trick is to arm yourself with enough information to make sure you make the right choices, and move in the right directions.

The most important best practice is to understand the existing requirements, and then understand how the emerging uses of cloud computing could provide compliant and secure HIPAA solutions.  The good news is that this is not the first time we’ve dealt with HIPAA data outside of our own data centers; we’ve been working with managed services, hosting, and co-location providers for years.

HIPAA best practices

How does cloud enable HIPAA best practices to be effectively implemented?

Now, with the rise of cloud computing, it’s just matter of taking those lessons learned and transporting them to cloud-based platforms.  We’re not reinventing this problem and solution, just transferring the best practices and lessons learned.

In many cases, leveraging cloud computing will improve upon the best practices and technology that exist today.  However, you need to be aware of the legal compliance issues, as well as how that translates into the technology.

Another core best practice for anyone attempting to manage HIPAA data in the cloud is to understand that the cloud provider is an active participant.  The selected cloud provider must also adhere to security requirements, just as we did with other remote HIPAA solutions.  This means that those who have access to the cloud data center have to undergo screening.  There are items to consider around physical access requirements as well.

So, the trick to managing HIPAA data in the cloud, or on other platforms, is to understand the regulations, and be able to translate those regulations into processes and best practices that allow you to maintain compliancy.  Therefore, you need a cloud provider that understands HIPAA.  They should become a trusted agent and owner of your data, and meet all of the security requirements, including encryption, integrity controls, transmission protections, monitoring, management, and physical security.

All will come to light if the cloud provider is audited, thus these requirements must be checked before moving your data into any cloud provider that claims to be HIPAA-compliant.  Keep in mind, you will have to pay the fines, not the cloud provider.

Thoughts? Let us know on Twitter @CloudGathering.

By David Linthicum

More Stories By Gathering Clouds

Cloud computing news, information, and insights. Powered by Logicworks.