Evaluating and Choosing Healthcare Cloud Service Providers

As healthcare moves from on-premise to cloud services, the evaluation and selection of “HIPAA compliant” cloud service providers becomes an import task. I don’t like the description “HIPAA compliant” because it’s imprecise and not meaningful. However, it’s something that many non-technical people look for when evaluating providers so I’m using it here. My friend Alex Ginzburg, VP of Technology at Intervention Insights, and I have done this kind of healthcare cloud services providers evaluation and selection many times so it was natural for me to reach out and ask him to provide some guidance for the community. I asked Alex to give us insight on his process for choosing vendors. Here’s what Alex said:

Many Digital Health startups are facing the challenge of striking the right balance between achieving required regulatory compliance with healthcare data privacy and security laws (HIPAA, State) and running a lean environment. We all know that cloud technology enables healthcare organizations to focus their efforts on relevant services and improved patient outcomes, significantly reduces the burden of infrastructure management, simplifies technology adoption and drives operational costs down. Commercial elastic clouds, such as Amazon EC2, are some of the most commonly used options by the companies seeking to provide high level of security and optimize operational costs.

Lack of compliance with the HIPAA and other applicable security regulations can be a real showstopper for a Digital Health organization. The dynamics of an early stage often results in decision to either defer or even forego the security and privacy specific legal reviews of the business and operating plans, which may translate into costly remediation efforts. An important contributing factor to that is the lack of legal and implementation consultancy available directly from the government offices. As of today there is no official government-sponsored certification program for HIPAA consultants or organizations. Several private companies offer their own proprietary HIPAA assessment and certification programs, but the services may be costly for early-stage startups. For a Digital Health business there is no clearly defined pathway into achieving compulsory compliance status with HIPAA and other certification authorities (which is why “HIPAA Compliance” is a difficult concept to grasp). The Digital Health vendors, who choose to deploy their solutions in the commercial cloud, often have little or no control where or how this data is moved, handled, or stored by the Cloud Service Provider (CSP). The vendor must require the CSP to sign a Business Associate Agreement (BAA), hence contractually agreeing to maintain all PHI as stipulated by HIPAA and other applicable standards.

READ

Mobile Medical Apps: A Game Changing Healthcare Innovation

Considerations before moving into Digital Healthcare:

Does the nature of the business require the company to acquire, store and/or exchange identifiable patient information? Can the added complexity be avoided? In some cases the use of de-identified health data may be sufficient to provide the added value to the service consumers.
Does the team have a full awareness of the scope of company’s compliance standards: all applicable Federal, State, and international (if applicable) patient data privacy and security laws, legislation and regulations? It is important to note that some of the State laws may strengthen the federal requirements. For example, the State of Texas (H.B.300), among other amendments, changes the definition of a HIPAA Covered Entity.
It is important to remember that there are additional requirements for the providers of EMRs and other software solutions used by U.S. Federal Government, for example U.S. Department of Veterans Affairs (VA) or Department of Defense. Digital Healthcare companies working with the government entities should additionally adhere to standards developed by National Institute of Standards and Technology (NIST)
Does the company plan to use offshore resources and what are the potential implications of that in the context of privacy and security?
Will a private or a commercial cloud service provider (CSP) be more suitable and cost-efficient for SaaS/PaaS hosting and internal operations?

Cloud Service Provider Evaluation Criteria:

A typical software vendor startup needs a hosting platform for its SaaS offering, which could be easily scaled up or down depending on the operational needs.

Today a number of companies provide virtual hosting environments with different service level agreements (SLAs). Among the leading vendors offering commercial clouds are RackSpace, Amazon, and Microsoft Azure. A company needs to establish a Business Associate Agreement (BAA) with the Cloud Service Provider to fully understand CSP’s liabilities and risks as well as being able to absorb those risks in the event of HIPAA non-compliance.

READ

Opening Your Own Private Medical Practice in the Digital Age

A Digital Healthcare company should screen potential cloud partners for their physical, procedural, operational and technical readiness to house the PHI (Protected Health Information) and to ensure safety of the transactions containing PHI data. A well-established commercial hosting facility has a variety of industry certificates: ISO 27001, PCI DSS Level 1, SSAE 16 and others. When it comes to claiming HIPAA compliance, cloud vendors may use terminology, such as “HIPAA enablement”, which best represents their security-related technical capabilities, while refraining from claiming legal compliance. For example, among other features, Digital Ocean (www.digitalocean.com), a popular provider of the hosted services, may indicate availability of data encryption and VPC setup (virtual private clouds), but is not claiming to be a “HIPAA compliant” provider.

When evaluating a potential CSP it is important to consider several points:

Does a potential CSP have existing customers with the similar business model? Would the provider be willing to offer a reference contact?
One of the most important assessing factors is the readiness of a CSP to execute a BAA with the client. It is important to carefully review the agreement and understand the delegation of the obligations and responsibilities of both parties.
Perform comprehensive due diligence of technical, physical, procedural safeguards and controls of a potential CSP.
Does a CSP comply with any other data security standards, such as PCI DSS?
Does a potential cloud service partner have a mandatory staff HIPAA awareness training program?
Review the records of a recent HIPAA audit report.
As a part of the technical due diligence, discuss company’s platform and architectural requirements and make sure that a CSP has technical provisions to support your compliance with HIPAA technology safeguards.

What problems have you seen when doing evaluations and making selections? Share your questions and we’ll get them answered in future posts.

cloud services / shutterstock

Should Healthcare Care About Branding?

Expanding Your Reach: 4 Quick Ways Personal Trainers Can Market Their Business

ICD-11 – The Next-Generation Coding System

5 Ways to Use Texting in Healthcare Marketing and Engagement

Entrepreneurs Must Integrate Mission-Driven Strategic Investors

6 Healthcare Financial KPIs You Need for 2017

Determining the ROI on Aquatic Therapy in Your PT Practice

How to Monetize Mobile Healthcare Apps

When The Doctor Is Hurting: Ergonomic Solutions For Medical Professionals

Stressing Employee Sleep and How It Can Impact Your Practice, Hospital, and Overall Productivity

Are Patients Being Informed Of Alternatives To Medication?

Enhancing Cultural Competency In Healthcare Settings

Mobile Medical Apps: A Game Changing Healthcare Innovation

The Impact of Big Data In Healthcare Analytics Career

Are We Failing Female Patients?

Should Healthcare Care About Branding?

Medical Data & Patient Privacy: An Update

Tackle Telemedicine Coding With These CPT® and CMS Pointers

What Is Interoperability and Why Is It Important in Healthcare?

Facebook Reported to Have Attempted to Acquire Users’ Medical Records

Mobile Medical Apps: A Game Changing Healthcare Innovation

What Is Interoperability and Why Is It Important in Healthcare?

How a New Patient Experience Model Will Drive the Future of Connected Healthcare?

mHealth: The New Future of Healthcare

EHR For Rural Hospitals: Criteria And Access

How Big Data Can Be Used To Prevent Fatal Heart Attack

Patient-Generated Health Data: a Shift in Care Delivery?

How Financial Barriers are Slowing Down Telehealth Adoption

Should Healthcare Care About Branding?

How can Healthcare Professionals Manage their Reputation Online

How to Handle Negative Physician Reviews and Feedback

5 Effective Ways to Market Healthcare to Millennials

Mobile Medical Apps: A Game Changing Healthcare Innovation

Important Medical Procedures for Those in Their 50s

The Impact of Big Data In Healthcare Analytics Career

The Outreach Mindset: How Doing Crisis Care Improves Medical Practice

Important Medical Procedures for Those in Their 50s

5 Life-Changing Assistive Technologies for the Visually Impaired

How AI Influences the Plastic Surgery

Healthcare Meets Technology: Future-Ready 2018 Innovations

Nanobots: The Bright Future of Surgical Robotics

Emerging Diabetes Technology Promises to Make Life Easier

How a New Patient Experience Model Will Drive the Future of Connected Healthcare?

Meeting The Healthcare Demands of an Aging Population

Minimizing Data Chaos in the Healthcare Industry

How a New Patient Experience Model Will Drive the Future of Connected Healthcare?

Vitiligo: Why it Happens to You, and How to Treat it?

Top 3 Ways to Gain Muscle Mass Fast

Healthcare Data Breaches: What Are the Risks?

Ethical Promotion Of Complementary Medicine: A Guide For Doctors

Why Dental Check-Up for Kids are Important

The Surprising Connection Between the Microbiome and Childhood Development

The Complicated Rise of Interventional Cardiologists

The Complicated Rise of Interventional Cardiologists

How Big Data Can Be Used To Prevent Fatal Heart Attack

Peripheral Vascular Stenting to 2020

In Praise of FDA Collaboration: The Cardiac Safety Example

Understanding Alzheimer’s Disease: What’s Next? [Infographic]

Why Primary Care Physicians Are the Next Phase in CCRC Care

The Dos and Don’ts of Handling Elderly Patients

Five Fields In Healthcare That Are Quickly Growing

The Weight Conscious Doctor: Why Sensitivity Matters

Top 5 Reasons Why you’re Not Losing Weight on Your Diet

Starting a New Eating Plan? What you Need to Know about Macro and Micronutrients

Should You Recommend Bariatric Surgery to Obese Patients?

Do it like Disney: Developing Orthopedic Centers of Excellence

Lessons on Building a Great Ortho Team from The Avengers

What Orthopedic Patients Want this Holiday Season

Use The Force: 4 Ways to Improve Orthopedic Service Lines

Radiology as an Enterprise Model for Collaboration

Relationship Between Clinical Decision Support Systems (CDSS) & Radiology Must Evolve

Diagnostic Reading #33: Five Must-Read Articles from the Past Week

2015 CPT Coding Changes and Your Radiology Practice

When Can Genetic Carrier Screening Be Performed?

Important Medical Procedures for Those in Their 50s

Eating Healthy on a Budget: How to Make Nutritiously Fiscal Decisions

Ethical Promotion Of Complementary Medicine: A Guide For Doctors

Eating Healthy on a Budget: How to Make Nutritiously Fiscal Decisions

Ethical Promotion Of Complementary Medicine: A Guide For Doctors

5 Health Benefits of Keto Diet