HIPAA Compliant Cloud Hosting: Baseline and Best Practices

Choosing a datacenter designed specifically for HIPAA compliant hosting is the quick path to compliance for your IT system. There are plenty of cloud providers out there that claim HIPAA compliance, but what they’re actually selling is business as usual IT with some HIPAA keywords in their marketing materials.

This is a guest post written by Rebecca Santorios, VP of Governance, Risk and Compliance at ByteGrid.

True compliance means doing things differently. How can you know you’re choosing a truly HIPAA compliant provider? There are a few quick checks that can help you weed out non-compliant CSPs pretty quickly.

HIPAA Compliant Cloud Hosting Must-haves:

  • • Willingness to sign meaningful BAA that addresses cloud provider responsibilities for HIPAA Security Rules, including breach notification procedures, incident notification requirements, and practices for securing PHI
  • Physical Security, minimally multi-tiered physical security systems, access controls, 24/7/365 on site physical security staff, continuously monitored camera systems
  • Access auditing for site and for critical areas
  • Encryption for data at rest and in transit
  • Change control procedures
  • Decommissioning procedures
  • Procedures for tracking movement/transfer of equipment
  • Security policy and security procedures
  • Access authorization and auditing – fully documented
  • Training for cloud provider staff
  • Risk assessments
  • Breach notification policies and procedures with clear responsibilities
  • Documented, up-to-date training records

HIPAA Compliant Cloud Hosting Best Practices

The list above will definitely narrow down your choices. Now look for some of the best practices that set industry-leading HIPAA compliant cloud services above the rest:

  • Mature Quality System
  • Audit support
  • Documented evidence that policies and procedures are implemented and are functioning as required
  • PHI Awareness throughout organization
  • HIPAA qualification package
  • Complete, compliant risk management program
  • Security by design
  • Full time compliance staff
  • Documented internal audit program
  • Periodic and annual assessments

It’s impossible to reduce all of the requirements for HIPAA compliant hosting into a short checklist, but these are enough to get you started.