By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    improving patient experience
    6 Ways to Improve Patient Satisfaction Within Hospitals
    December 1, 2021
    degree for healthcare job
    What Are The Health Benefits Of Having A Degree?
    March 9, 2022
    custom software development is changing healthcare
    Digital Customer Journey Mapping and its Importance for Healthcare
    July 21, 2022
    Latest News
    Beyond Nutrition: Everyday Foods That Support Whole-Body Health
    June 15, 2025
    The Wide-Ranging Benefits of Magnesium Supplements
    June 11, 2025
    The Best Home Remedies for Migraines
    June 5, 2025
    The Hidden Impact Of Stress On Your Body’s Alignment And Balance
    May 22, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    ACO infographic
    A Closer Look at Accountable Care Organizations [INFOGRAPHIC]
    June 5, 2014
    Medical Residents Get Their Own Social Network
    December 19, 2012
    FDA Social Media Guidance: Hangout on Air
    July 29, 2014
    Latest News
    Top HIPAA-Compliant Messaging Apps for Healthcare Teams
    June 25, 2025
    When Healthcare Ends, the Legal Process Begins: What Families Should Know About Probate and Medical Estates
    June 20, 2025
    Preventing Contamination In Healthcare Facilities Starts With Hygiene
    June 15, 2025
    Strengthening Healthcare Systems Through Clinical and Administrative Career Development
    June 13, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Evaluating and Choosing Healthcare Cloud Service Providers
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Business > Evaluating and Choosing Healthcare Cloud Service Providers
BusinessPolicy & LawTechnology

Evaluating and Choosing Healthcare Cloud Service Providers

ShahidShah
Last updated: February 2, 2024 11:53 am
ShahidShah
Share
8 Min Read
cloud services
SHARE

As healthcare moves from on-premise to cloud services, the evaluation and selection of “HIPAA compliant” cloud service providers becomes an import task. I don’t like the description “HIPAA compliant” because it’s imprecise and not meaningful. However, it’s something that many non-technical people look for when evaluating providers so I’m using it here. My friend Alex Ginzburg, VP of Technology at Intervention Insights, and I have done this kind of healthcare cloud services providers evaluation and selection many times so it was natural for me to reach out and ask him to provide some guidance for the community. I asked Alex to give us insight on his process for choosing vendors. Here’s what Alex said:

Many Digital Health startups are facing the challenge of striking the right balance between achieving required regulatory compliance with healthcare data privacy and security laws (HIPAA, State) and running a lean environment. We all know that cloud technology enables healthcare organizations to focus their efforts on relevant services and improved patient outcomes, significantly reduces the burden of infrastructure management, simplifies technology adoption and drives operational costs down. Commercial elastic clouds, such as Amazon EC2, are some of the most commonly used options by the companies seeking to provide high level of security and optimize operational costs.

Lack of compliance with the HIPAA and other applicable security regulations can be a real showstopper for a Digital Health organization. The dynamics of an early stage often results in decision to either defer or even forego the security and privacy specific legal reviews of the business and operating plans, which may translate into costly remediation efforts. An important contributing factor to that is the lack of legal and implementation consultancy available directly from the government offices. As of today there is no official government-sponsored certification program for HIPAA consultants or organizations. Several private companies offer their own proprietary HIPAA assessment and certification programs, but the services may be costly for early-stage startups. For a Digital Health business there is no clearly defined pathway into achieving compulsory compliance status with HIPAA and other certification authorities (which is why “HIPAA Compliance” is a difficult concept to grasp). The Digital Health vendors, who choose to deploy their solutions in the commercial cloud, often have little or no control where or how this data is moved, handled, or stored by the Cloud Service Provider (CSP). The vendor must require the CSP to sign a Business Associate Agreement (BAA), hence contractually agreeing to maintain all PHI as stipulated by HIPAA and other applicable standards.

Considerations before moving into Digital Healthcare:

More Read

medical marijuana facts
The Medical Marijuana Movement Deconstructed
Person-Centered HealthCare: At-Home Care is Key
Does Your Hospital Have Social Media Guidelines for Employees in Place?
Monitoring to Change Behavior: Does It Work?
Personalize Your Hospital with Instagram’s Hyperlapse App
  • Does the nature of the business require the company to acquire, store and/or exchange identifiable patient information? Can the added complexity be avoided? In some cases the use of de-identified health data may be sufficient to provide the added value to the service consumers.
  • Does the team have a full awareness of the scope of company’s compliance standards: all applicable Federal, State, and international (if applicable) patient data privacy and security laws, legislation and regulations? It is important to note that some of the State laws may strengthen the federal requirements. For example, the State of Texas (H.B.300), among other amendments, changes the definition of a HIPAA Covered Entity.
  • It is important to remember that there are additional requirements for the providers of EMRs and other software solutions used by U.S. Federal Government, for example U.S. Department of Veterans Affairs (VA) or Department of Defense. Digital Healthcare companies working with the government entities should additionally adhere to standards developed by National Institute of Standards and Technology (NIST)
  • Does the company plan to use offshore resources and what are the potential implications of that in the context of privacy and security?
  • Will a private or a commercial cloud service provider (CSP) be more suitable and cost-efficient for SaaS/PaaS hosting and internal operations?

Cloud Service Provider Evaluation Criteria:

A typical software vendor startup needs a hosting platform for its SaaS offering, which could be easily scaled up or down depending on the operational needs.

Today a number of companies provide virtual hosting environments with different service level agreements (SLAs). Among the leading vendors offering commercial clouds are RackSpace, Amazon, and Microsoft Azure. A company needs to establish a Business Associate Agreement (BAA) with the Cloud Service Provider to fully understand CSP’s liabilities and risks as well as being able to absorb those risks in the event of HIPAA non-compliance.

A Digital Healthcare company should screen potential cloud partners for their physical, procedural, operational and technical readiness to house the PHI (Protected Health Information) and to ensure safety of the transactions containing PHI data. A well-established commercial hosting facility has a variety of industry certificates: ISO 27001, PCI DSS Level 1, SSAE 16 and others. When it comes to claiming HIPAA compliance, cloud vendors may use terminology, such as “HIPAA enablement”, which best represents their security-related technical capabilities, while refraining from claiming legal compliance. For example, among other features, Digital Ocean (www.digitalocean.com), a popular provider of the hosted services, may indicate availability of data encryption and VPC setup (virtual private clouds), but is not claiming to be a “HIPAA compliant” provider.

When evaluating a potential CSP it is important to consider several points:

  • Does a potential CSP have existing customers with the similar business model? Would the provider be willing to offer a reference contact?
  • One of the most important assessing factors is the readiness of a CSP to execute a BAA with the client. It is important to carefully review the agreement and understand the delegation of the obligations and responsibilities of both parties.
  • Perform comprehensive due diligence of technical, physical, procedural safeguards and controls of a potential CSP.
  • Does a CSP comply with any other data security standards, such as PCI DSS?
  • Does a potential cloud service partner have a mandatory staff HIPAA awareness training program?
  • Review the records of a recent HIPAA audit report.
  • As a part of the technical due diligence, discuss company’s platform and architectural requirements and make sure that a CSP has technical provisions to support your compliance with HIPAA technology safeguards.

What problems have you seen when doing evaluations and making selections? Share your questions and we’ll get them answered in future posts.

Read one leading software provider’s top picks for hipaa cloud services.

cloud services / shutterstock

TAGGED:HIPAA
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

women dental care
What Is a Smile Makeover and How Much Does It Cost?
Dental health
June 30, 2025
HIPAA-Compliant Messaging Apps
Top HIPAA-Compliant Messaging Apps for Healthcare Teams
Global Healthcare Policy & Law Technology
June 25, 2025
recovering from injury
Rebuilding After Injury: Path to Physical and Emotional Recovery
News
June 22, 2025
scientist using microscope
When Healthcare Ends, the Legal Process Begins: What Families Should Know About Probate and Medical Estates
Global Healthcare
June 18, 2025

You Might also Like

health technology
Medical DevicesTechnology

Will Technology Make Primary Care Doctors “Whole”?

August 28, 2013

“Stunning Progress” but OOPs! in Afghanistan

December 23, 2011
AMN Healthcare’s 2013 Survey of Social Media and Mobile Usage by Healthcare Professionals: Job Search and Career Trends, is a follow-up to two prior surveys in 2010 and 2011. It provides hospitals and other healthcare organizations, along with leaders in the field, with an inside look at clinicians’ job search methods, career development activities and social media practices, as well as how their behaviors have changed over time.
BusinesseHealthHospital AdministrationSocial Media

HCP Use of Social Media for Recruitment [INFOGRAPHIC]

April 5, 2014
Health careSpecialtiesWellness

These Addictions May Be Coping Mechanisms For Anxiety Or Depression

March 12, 2019
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?