Are SaaS Applications and Cloud Servers HIPAA Compliant?

As a provider of patient portal, SaaS (software as a service) applications, and hosting solutions to the healthcare industry, we get asked this question a lot. Before we can answer it question correctly, we must first understand how HIPAA relates to software and hosting, and what is involved in HIPAA compliant IT.

The Health Insurance Portability and Accountability Act was enacted in 1996 to address the growing use of technology in healthcare, specifically the transaction of health information between providers, employers and health insurance plans. You don’t need to read the entire 349-page document to understand a few important principles of HIPAA. Here are some of these considerations and relevant certifications.

  1. HIPAA makes almost zero reference to technical specifications required for hardware or software security. And even if it did, they would be completely out of date – the law having been passed in 1996 – and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.
  2. You cannot be “HIPAA certified.”  HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.
  3. You can be audited by a variety of governing bodies for HIPAA compliance. Other certifications do exist that may include some of the rules or best practices found in the HIPAA guidelines. Some of these certifications include:
  • SSAE16 – An auditing standard created primarily for the financial services industry verifying hosting company’s’ physical and software security standards. Hosting companies that are audited receive reports demonstrating compliance for SOC 1, SOC 2 or SOC 3.
  • ONC-ACB – An Office of the National Coordinator certification for healthcare software companies to certify their software on a variety of security and functional items.

Keeping the above in mind, the answer, when it comes to considering cloud servers and SaaS applications HIPAA compliant, is that the software itself is only part of the big picture. If there was a HIPAA certification for SaaS software, it would not guarantee HIPAA compliance – there could still be faults in the hosting, the computer being used, user authentication, or the user using the software in a public place.

There is no specific provision in the HIPAA guidelines that opposes the architecture of a cloud server, VPS server or SaaS application (even though by nature these are “shared” architectures). One must, however, consider the HIPAA guidelines that do exist that pertain to encryption, user authentication and other best practices.

Editor’s Note: This post was originally published in March 2013, and has been updated with links to current resources and additional information about HIPAA compliance auditing.


Comments Leave a Comment

So are all the certificate logos that we see on some healthcare provider websites just a lot of window dressing? As a service provider to healthcare is it worth it to get some 3rd party certification? Which are best?

David James

You do not require a certification but they are all 3rd party. They do help you through the process of ensuring your are following HIPAA safeguards required when you are storing or transmitting ePHI for a healthcare provider.

I am not advocating certifications but if you are not familiar with the final rule they can provide insight. I would suggest you read the final rule yourself which would give you an idea of what you will need to address.

David James

While HIPAA does not specify hardware specifications, there are specific General, Administrative, Technical and Physical Safeguards that are either required or addressable when your software stores or transmits electronic personal health information. Your article does not address vendors responsibility to meet these. With the Omnibus final rule companies that store or transmit electronic personal health information are required to sign a revised Business Associates Agreement that brings them under the same civil and monetary penalties as the healthcare organization that use the software.

Your article is off base.

[…] article was originally published on the Medical Web […]

[…] providers and software vendors claim to provide HIPAA-certified solutions, the truth is that there is no such thing as a HIPAA certification – not for hosting companies, providers or any type of […]


Leave a Comment

* Required field.

*


Questions? Let our experts help!

Complete the form below or Call 866-932-9944 Monday through Friday from 9am to 5pm EST.

  • Connect With Us

  • Contact Us


  • Newsletter

    Get promotions and current business tips. Sign up for our newsletter today.