Two Things a Cloud Needs for HIPAA Compliance and Healthcare

Two Things a Cloud Needs for HIPAA Compliance and Healthcare

April 22

This article also appears on Talkin’ Cloud.

Every time you hear about a cloud system failure or data breach, it starts to seem like the cloud isn’t the safe haven it’s cut out to be. Its propensity for breach makes using it for hyper-critical data seem like a less-than-stellar idea. But as you know by now, not all clouds, (or for our purpose, data centers), are created equally. There are those purpose-built to handle sensitive information. You may assume the cloud isn’t a good fit for sensitive info, but that’s far from true. Keeping data safe isn’t really a matter of avoiding the cloud, it’s a matter of finding the cloud that makes sense for the right purpose.

If you’re reading this, you probably know something about the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. For those not familiar, HIPAA is essentially a series of codes that regulate the creation, transmission, and access of electronic protected health information (ePHI). Basically, it keeps patient health information safe. Covered Entities (healthcare providers) will need to think about a few specific needs when it comes to HIPAA compliance, and the cloud is a very quick way to address a number of them. As an IT provider, it’s useful for you to understand a few of these essentials if you hope to one day serve clients in the healthcare industry.

Security and access

We know that it’s relatively easy these days to create data copies and move them to a cloud service, but what about security? What types of safeguards are in place to keep data secure offsite? Note that covered entities also need to limit physical access to information systems and the facilities they are housed (CFR 164.310), but must also ensure that data is encrypted at rest and in motion (CFR 164.312). Not all clouds offer this functionality, but it’s important if you’re hoping to store ePHI. Be sure to find a provider that allows data to be encrypted onsite, in transit, and while it’s being stored at another facility. It’s also worth noting that physical access is an issue as well. Any data center you use to store ePHI should have physical as well as digital safeguards that prevent unwanted access.

Backup and Recovery

CFR 164.308 states that Covered Entities need a backup and disaster recovery plan. The cloud has an obvious benefit for data protection because backup copies live offsite and are recoverable should something go wrong with onsite backups. Plus, there are some clouds that are designed for quick recovery, which is a necessity for HIPAA. Not only should Covered Entities be prepared to keep data backups, they also need to be able to operate in emergency mode. A cloud designed with that specific function is a very compelling for healthcare providers or IT providers giving healthcare clients a hand.


Remember, the cloud is a good way to deal with certain aspects of HIPAA, but not all of them. HIPAA seems like a mess to some, but at its barest nature it’s just a set of great security standards—nothing more. If you’re a VAR or MSP hoping to learn more about HIPAA or to start providing services to clients in the healthcare industry, our latest ebook “How to be a HIPAA Hero,” is a great place to get started.

Photo credit: Frankileon via Flickr