Are SaaS Applications and Cloud Servers HIPAA Compliant?

John Deutsch

John Deutsch

Posted on August 02, 2017

As a provider of patient portal, SaaS (software as a service) applications, and hosting solutions to the healthcare industry, we get asked this question a lot. Before we can answer it question correctly, we must first understand how HIPAA relates to software and hosting, and what is involved in HIPAA compliant IT.
The Health Insurance Portability and Accountability Act was enacted in 1996 to address the growing use of technology in healthcare, specifically the transaction of health information between providers, employers and health insurance plans. You don’t need to read the entire 349-page document to understand a few important principles of HIPAA. Here are some of these considerations and relevant certifications.

  1. HIPAA makes almost zero reference to technical specifications required for hardware or software security. And even if it did, they would be completely out of date – the law having been passed in 1996 – and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.
  2. You cannot be “HIPAA certified.”  HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.
  3. You can be audited by a variety of governing bodies for HIPAA compliance. Other certifications do exist that may include some of the rules or best practices found in the HIPAA guidelines. Some of these certifications include:
  • SSAE16 – An auditing standard created primarily for the financial services industry verifying hosting company’s’ physical and software security standards. Hosting companies that are audited receive reports demonstrating compliance for SOC 1, SOC 2 or SOC 3.
  • ONC-ACB – An Office of the National Coordinator certification for healthcare software companies to certify their software on a variety of security and functional items.

[related_content] Keeping the above in mind, the answer, when it comes to considering cloud servers and SaaS applications HIPAA compliant, is that the software itself is only part of the big picture. If there was a HIPAA certification for SaaS software, it would not guarantee HIPAA compliance – there could still be faults in the hosting, the computer being used, user authentication, or the user using the software in a public place.
There is no specific provision in the HIPAA guidelines that opposes the architecture of a cloud server, VPS server or SaaS application (even though by nature these are “shared” architectures). One must, however, consider the HIPAA guidelines that do exist that pertain to encryption, user authentication and other best practices.
Editor’s Note: This post was originally published in March 2013, and has been updated with links to current resources and additional information about HIPAA compliance auditing.


John Deutsch

John Deutsch

Founder and CCO of MWE, and business owner of 19 years with extensive experience in Healthcare IT. John is a Judge for the 2020 eHealthcare Leadership Awards and has appeared on multiple podcasts, including the Outcomes Rocket Podcast and the Hospital Finance Podcast.

Related Posts

Posted on April 05, 2023 by John Deutsch

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect patients’ privacy by limiting access to and governing acceptable use of their health data. When building a healthcare…Read more


Graphic of a large laptop with a shield and padlock in front of it. Smaller images of people on the left and right side of the labtop interact with various mobile devices.

Posted on February 16, 2022 by Pablo Bullian

Welcome back to the Medical Web Experts Security Bulletin. Below are some recent developments that may impact your organization, as well as our recommendations for keeping your systems secure. Mitigating…Read more


Newsletter
Subscribe to Our Newsletter

Get promotions and current business tips. Sign up for our newsletter today.