Are SaaS Applications and Cloud Servers HIPAA Compliant?

As a provider of patient portal, SaaS (software as a service) applications, and hosting solutions to the healthcare industry, we get asked this question a lot. Before we can answer it question correctly, we must first understand how HIPAA relates to software and hosting, and what is involved in HIPAA compliant IT.

The Health Insurance Portability and Accountability Act was enacted in 1996 to address the growing use of technology in healthcare, specifically the transaction of health information between providers, employers and health insurance plans. You don’t need to read the entire 349-page document to understand a few important principles of HIPAA. Here are some of these considerations and relevant certifications.

  1. HIPAA makes almost zero reference to technical specifications required for hardware or software security. And even if it did, they would be completely out of date – the law having been passed in 1996 – and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.
  2. You cannot be “HIPAA certified.”  HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.
  3. You can be audited by a variety of governing bodies for HIPAA compliance. Other certifications do exist that may include some of the rules or best practices found in the HIPAA guidelines. Some of these certifications include:
  • SSAE16 – An auditing standard created primarily for the financial services industry verifying hosting company’s’ physical and software security standards. Hosting companies that are audited receive reports demonstrating compliance for SOC 1, SOC 2 or SOC 3.
  • ONC-ACB – An Office of the National Coordinator certification for healthcare software companies to certify their software on a variety of security and functional items.

Keeping the above in mind, the answer, when it comes to considering cloud servers and SaaS applications HIPAA compliant, is that the software itself is only part of the big picture. If there was a HIPAA certification for SaaS software, it would not guarantee HIPAA compliance – there could still be faults in the hosting, the computer being used, user authentication, or the user using the software in a public place.

There is no specific provision in the HIPAA guidelines that opposes the architecture of a cloud server, VPS server or SaaS application (even though by nature these are “shared” architectures). One must, however, consider the HIPAA guidelines that do exist that pertain to encryption, user authentication and other best practices.

Editor’s Note: This post was originally published in March 2013, and has been updated with links to current resources and additional information about HIPAA compliance auditing.

John Deutsch is the founder and Chief Compliance Officer at Medical Web Experts. He is a seasoned executive with 18 years of healthcare IT business ownership experience specializing in HIPAA compliance, patient engagement, marketing, and software/web development. John was the product owner for the implementation of a mobile app, which was awarded the eHealthcare Leadership Award for Best Patient Access & Convenience in a Medical Practice/Outpatient Facility. He has also appeared in podcasts like Outcomes Rocket and the Hospital Finance Podcast in addition to publications like Digital Health Buzz and Health Innovation Matters. John is also the founder and CEO of Bridge Patient Portal and Universe mHealth.

Questions? Let our experts help!

Complete the form below or Call 866-932-9944 Monday through Friday from 9am to 5pm EST.

  • Connect With Us

  • Contact Us

  • Newsletter

    Get promotions and current business tips. Sign up for our newsletter today.