Matthew O’Connor, Google’s product manager responsible for security and compliance, says he expects GAE to be HIPAA-eligible in the second quarter of this year. The process to do so involves third-party auditors as well as policies and procedures being set up within the company. “The key theme is to follow good software development practices, good operational procedures and to have solid privacy and security,” he says.
At its most basic, HIPAA “sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information,” according to the U.S. Department of Health and Human Service’s website. It includes a set of federal privacy protections for individually identifiable health information. The regulations are long and multi-faceted, and complicating matters is that there’s no standards body or checklist for complying with HIPAA.
“A lot of it is about controlling access to information,” explains Jon Senger, CTO of Vertiscale, a company that creates software that managed service providers use to comply with HIPAA.
No provider can offer a fully HIPAA-compliant computing environment as a service because it would require both the provider and customer to work together to ensure the regulations are met. Instead, providers have established policies and procedures around certain products that meet HIPAA standards. Customers must sign what’s called a Business Associate’s Agreement (BAA), a legally binding document between users and providers acknowledging that some of the customer’s data is subject to HIPAA rules.
Google’s isn’t the only cloud vendor tackling HIPAA. Amazon Web Services says that nine of its products, including popular ones like Elastic Compute Cloud (EC2), Simple Storage Service (S3) and Elastic Block Store (EBS), are eligible to be HIPAA compliant if customers sign a standardized BAA with the company. AWS has a white paper describing how to architect applications in its cloud to meet HIPAA guidelines. Microsoft Azure, meanwhile, allows qualified health care companies and their suppliers to use a standardized BAA, which would make their use of Azure HIPAA compliant.
Overall, cloud providers seem to be evolving their platforms to host even the most sensitive, HIPAA-compliant applications. For ScotCro, the company understands it still needs to perform its due diligence to ensure HIPAA compliance, and will have to enter into a BAA. But by using a cloud service, at least it won’t have to host all that underlying infrastructure itself.
Sign up for CIO Asia eNewsletters.