Knowledge Base: White Paper

Six Questions to Ask Cloud Hosting Providers About HIPAA Compliance

HIPAA compliant data centerLike many industries, healthcare organizations are trying to reduce costs while improving their service quality. However, you face the added requirement of meeting these goals while complying with the strict requirements of HIPAA regulations and tighter than ever security controls to safely store patients’ Protected Health Information (PHI).

Choosing a HIPAA compliant provider that has already aligned their security policies and procedures to the requirements of the HITECH Act will help put your mind at ease.

If you are considering cloud hosting for some or all of your server infrastructure needs, here are 6 questions to ask as you assess potential service providers:

1. Are the provider’s cloud services HIPAA Compliant?

While this may seem very basic, it is possible for a provider to be compliant for only part of their services. For example, they may offer HIPAA compliant colocation, but their cloud hosting could remain un-audited. Ask them for evidence; they should be able to provide you with a detailed report from an independent agency.

2. Can you send in your own auditors to confirm that the provider meets your standards?

Not everyone requests nor requires this, but providers should welcome your auditors to provide further assessment of compliance attestations or complete a full policy review. If they deny access, it should raise a red flag.

3. When was the HIPAA audit completed and by whom?

Although self-assessments can help a company have all their HIPAA ducks in a row, only a third party auditor can truly attest that a company has met 100% of the current HIPAA requirements. They analyze the processes, controls, and policies to ensure that the provider and its services meet the standards of the HITECH Act, protecting the privacy of patient information.

4. Will they sign a Business Associate Agreement (BAA)?

This is a required contract between the HIPAA-covered entity and the HIPAA compliant business associate—in this case, the provider. Basically, a BAA protects PHI and requires the provider to spell out how they would report and respond to any possible breach in data privacy, either by the service provider or one of their subcontractors.

5. Will my data be available 100% of the time?

Having your data always available is vitally important to the healthcare industry. There isn’t just money to be lost—you have patient lives at stake. Your cloud provider should be able to provide you with an SLA or Service Level Agreement that details their availability guarantees and policies.

6. Are they also compliant to SSAE 16 Type II standards?

HIPAA does specify all the security requirements and controls that must be in place. However, an SSAE 16 Type II audit will compliment these standards by requiring a more thorough overview on all security controls in place, with a longer testing period. In addition, if you ever plan to manage software applications that will allow patients to pay bills online, check to ensure your provider can meet payment card information security standards (also known as PCI DSS).

If you have additional questions about this information or would like to request a copy of our HIPAA Audit or a Business Associated Agreement, feel free to contact us. We look forward to working with you!