Evaluating and Choosing Healthcare Cloud Service Providers

As healthcare moves from on-premise to cloud services, the evaluation and selection of “HIPAA compliant” cloud service providers becomes an import task. I don’t like the description “HIPAA compliant” because it’s imprecise and not meaningful. However, it’s something that many non-technical people look for when evaluating providers so I’m using it here. My friend Alex Ginzburg, VP of Technology at Intervention Insights, and I have done this kind of healthcare cloud services providers evaluation and selection many times so it was natural for me to reach out and ask him to provide some guidance for the community. I asked Alex to give us insight on his process for choosing vendors. Here’s what Alex said:

Many Digital Health startups are facing the challenge of striking the right balance between achieving required regulatory compliance with healthcare data privacy and security laws (HIPAA, State) and running a lean environment. We all know that cloud technology enables healthcare organizations to focus their efforts on relevant services and improved patient outcomes, significantly reduces the burden of infrastructure management, simplifies technology adoption and drives operational costs down. Commercial elastic clouds, such as Amazon EC2, are some of the most commonly used options by the companies seeking to provide high level of security and optimize operational costs.

Lack of compliance with the HIPAA and other applicable security regulations can be a real showstopper for a Digital Health organization. The dynamics of an early stage often results in decision to either defer or even forego the security and privacy specific legal reviews of the business and operating plans, which may translate into costly remediation efforts. An important contributing factor to that is the lack of legal and implementation consultancy available directly from the government offices. As of today there is no official government-sponsored certification program for HIPAA consultants or organizations. Several private companies offer their own proprietary HIPAA assessment and certification programs, but the services may be costly for early-stage startups. For a Digital Health business there is no clearly defined pathway into achieving compulsory compliance status with HIPAA and other certification authorities (which is why “HIPAA Compliance” is a difficult concept to grasp). The Digital Health vendors, who choose to deploy their solutions in the commercial cloud, often have little or no control where or how this data is moved, handled, or stored by the Cloud Service Provider (CSP). The vendor must require the CSP to sign a Business Associate Agreement (BAA), hence contractually agreeing to maintain all PHI as stipulated by HIPAA and other applicable standards.

READ

Here's How To Choose Glasses You'll Love To Wear

Considerations before moving into Digital Healthcare:

Does the nature of the business require the company to acquire, store and/or exchange identifiable patient information? Can the added complexity be avoided? In some cases the use of de-identified health data may be sufficient to provide the added value to the service consumers.
Does the team have a full awareness of the scope of company’s compliance standards: all applicable Federal, State, and international (if applicable) patient data privacy and security laws, legislation and regulations? It is important to note that some of the State laws may strengthen the federal requirements. For example, the State of Texas (H.B.300), among other amendments, changes the definition of a HIPAA Covered Entity.
It is important to remember that there are additional requirements for the providers of EMRs and other software solutions used by U.S. Federal Government, for example U.S. Department of Veterans Affairs (VA) or Department of Defense. Digital Healthcare companies working with the government entities should additionally adhere to standards developed by National Institute of Standards and Technology (NIST)
Does the company plan to use offshore resources and what are the potential implications of that in the context of privacy and security?
Will a private or a commercial cloud service provider (CSP) be more suitable and cost-efficient for SaaS/PaaS hosting and internal operations?

Cloud Service Provider Evaluation Criteria:

A typical software vendor startup needs a hosting platform for its SaaS offering, which could be easily scaled up or down depending on the operational needs.

Today a number of companies provide virtual hosting environments with different service level agreements (SLAs). Among the leading vendors offering commercial clouds are RackSpace, Amazon, and Microsoft Azure. A company needs to establish a Business Associate Agreement (BAA) with the Cloud Service Provider to fully understand CSP’s liabilities and risks as well as being able to absorb those risks in the event of HIPAA non-compliance.

READ

The Most Common Medical Errors That Lead to Medical Malpractice Cases

A Digital Healthcare company should screen potential cloud partners for their physical, procedural, operational and technical readiness to house the PHI (Protected Health Information) and to ensure safety of the transactions containing PHI data. A well-established commercial hosting facility has a variety of industry certificates: ISO 27001, PCI DSS Level 1, SSAE 16 and others. When it comes to claiming HIPAA compliance, cloud vendors may use terminology, such as “HIPAA enablement”, which best represents their security-related technical capabilities, while refraining from claiming legal compliance. For example, among other features, Digital Ocean (www.digitalocean.com), a popular provider of the hosted services, may indicate availability of data encryption and VPC setup (virtual private clouds), but is not claiming to be a “HIPAA compliant” provider.

When evaluating a potential CSP it is important to consider several points:

Does a potential CSP have existing customers with the similar business model? Would the provider be willing to offer a reference contact?
One of the most important assessing factors is the readiness of a CSP to execute a BAA with the client. It is important to carefully review the agreement and understand the delegation of the obligations and responsibilities of both parties.
Perform comprehensive due diligence of technical, physical, procedural safeguards and controls of a potential CSP.
Does a CSP comply with any other data security standards, such as PCI DSS?
Does a potential cloud service partner have a mandatory staff HIPAA awareness training program?
Review the records of a recent HIPAA audit report.
As a part of the technical due diligence, discuss company’s platform and architectural requirements and make sure that a CSP has technical provisions to support your compliance with HIPAA technology safeguards.

What problems have you seen when doing evaluations and making selections? Share your questions and we’ll get them answered in future posts.

cloud services / shutterstock

4 Tips For Home Health Care Agencies To Survive The Worker Shortage

How To Get Capital For New Equipment For Your Healthcare Business

7 Things You Should Not Do When Creating Your Health Website

3 Quick Ways To Market Your Medical Practice

How To Get Capital For New Equipment For Your Healthcare Business

Financial Benefits For People Suffering From Dementia

Cautious Health Care Lending Can Prove Lucrative For The Lenders

What Would Medicare For All Mean For Healthcare Entrepreneurs?

4 Tips For Home Health Care Agencies To Survive The Worker Shortage

Top Tips For A More Eco-Friendly Healthcare Facility

Why Mobile Apps Are Indispensable For Telemedicine

Why It’s Key To Take Care Of Medical Debt To Avoid Health Issues Later

Online Healthcare: A Helping Hand In Today’s Society

4 Proven Lead Generation Strategies For Your Medical Practice

Anxious? Try These Healthcare Gadgets That Relieve Anxiety

7 Things You Should Not Do When Creating Your Health Website

7 Reasons You Need Digital Marketing For Your Medical Practice

Why It’s Key To Take Care Of Medical Debt To Avoid Health Issues Later

Tips To Follow To Help Avoid Surprise Medical Bills

The Global Eye Tracking System Market Is Expected To Skyrocket In The US

The Future Of Real Time Location Systems In Healthcare

The Global Eye Tracking System Market Is Expected To Skyrocket In The US

Why HIPAA Matters To mHealth Apps More Than Ever

Critical Features To Include In Your Health And Nutrition App

Why You Need To Know The Risks Of Self-Diagnosis

Technological Advancements in The Medical Field That You Should Keep An Eye On

mHealth Apps And Digital Doctors: The Future Of The Healthcare Sector?

EHR For Rural Hospitals: Criteria And Access

7 Tips To Make Sure Your Medical Practice Is Found Online

4 Top Reasons Why App Developers Love Apple Health Records API

Should Healthcare Care About Branding?

How can Healthcare Professionals Manage their Reputation Online

10 Important Technology Tips For Healthcare Workers

3 Quick Ways To Market Your Medical Practice

The Future Of Real Time Location Systems In Healthcare

Top Tips For A More Eco-Friendly Healthcare Facility

Here’s Why Plastic Surgery Shouldn’t Be Taboo Anymore

How Tech And Medical Equipment Is Changing The Patient Approach

The Value And Criticism Of Robot-Assisted Heart Surgery

Critical Features To Include In Your Health And Nutrition App

Here’s Why Plastic Surgery Shouldn’t Be Taboo Anymore

5 Technologies That Are Revolutionizing Healthcare

The Value And Criticism Of Robot-Assisted Heart Surgery

Spinal Operation Preparation And Recovery Tips To Know

The Status Of Child Health And Wellness In America Today

What Are Home DNA Tests And How Do They Change Our Life?

Why The Psoriatic Arthritis Treatment Market Is Set To Grow

What To Expect At A Cannabis Vape Lounge

How Self-Determination Theory Can Improve Medical Students’ Motivation

Your Complete Guide To Magnesium: The Most Important Of All Minerals

5 Ways Meditation Can Help You With Weight Loss

Inpatient vs. Outpatient Drug Recovery — Which One Works?

6 Simple Steps To Detoxify The Liver Naturally

The Value And Criticism Of Robot-Assisted Heart Surgery

Here’s What To Know About Sleep And Heart Health

Is It Time to See a Cardiologist?

Can Artificial Intelligence Diagnose Illnesses Better Than Other Methods?

Can Teeth Whitening Kits Really Improve Your Smile?

Should I Get Dental Implants? Here’s How To Decide

Why Cosmetic Dentistry Is Important – And Isn’t Just About Appearances

Dental Care During Pregnancy: What Are The Facts?

Take These 4 Important Steps For Healthy And Happy Aging

Living Alone When You’ve Been Diagnosed With Alzheimer’s

A Guide To Healthy Aging And Happier Golden Years

10 Early Dementia Signs You Need To Be Aware Of

5 Ways Meditation Can Help You With Weight Loss

Fueling Your Exercise Goals

How To Boost Your Metabolism For Effective Weight Loss

Diet And Fitness Advice: What Should You Eat To Be Healthy?

Your Guide to Foot Gains: The 7 Best Foot Exercises for Stronger and More Flexible Feet

Causes Of Lower Leg Pain And Sore Calves To Know About

How To Take Care Of Your Bone Health In Your Forties

Body Pain: Causes, Prevention, And Treatment Tips To Know

Radiology as an Enterprise Model for Collaboration

Relationship Between Clinical Decision Support Systems (CDSS) & Radiology Must Evolve

Diagnostic Reading #33: Five Must-Read Articles from the Past Week

2015 CPT Coding Changes and Your Radiology Practice

CBD And Wellness: What You Need To Know

5 Ways Meditation Can Help You With Weight Loss

6 Ways To Improve Your Immune System