What is HIPAA Eligible vs. HIPAA Compliant?
Chris Bowen, Chief Privacy & Security Officer and Founder, CISSP, CCSP, CIPP/US, CIPT
According to Gartner, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data, through 2025.
As the public cloud continues to offer more HIPAA-eligible services, those of us at ClearDATA get more and more questions from healthcare organizations about the the difference between HIPAA-eligible and HIPAA-compliant services. To help address these questions, we’ve compiled a Q&A on this topic with our Founder and Chief Privacy & Security Officer Chris Bowen.
For openers, can healthcare organizations use any cloud services they want or are they restricted?
There are restrictions when considering public cloud services for sensitive healthcare data. Key regulatory frameworks govern the use of Protected Health Information (PHI) and Personally Identifiable Information (PII), regardless of whether that data is being used on premise or on the cloud. HIPAA is the most famous. Bear in mind, HIPAA was written over 20 years ago and was not prescriptive in its language even then, but now can be increasingly hard for organizations to interpret in light of the new technologies that have come into play. But the work behind what HIPAA enforces is critically important. The safety and privacy of patient data must be protected. There are other frameworks as well, such as the fairly recently implemented General Data Protection Regulation (GDPR). When a healthcare or life sciences organization wants to move to cloud and use native cloud services, they can only use services that are deemed HIPAA eligible for any workloads that contain PHI.
What are my options for HIPAA cloud compliance?
The three main public clouds, Amazon Web Services, Microsoft Azure and Google Cloud Platform, serve a variety of industries. It’s important to remember that healthcare is a highly regulated industry, and it is not the primary or sole focus of the clouds the way it is for ClearDATA, where we are healthcare exclusive. As part of the clouds’ day-to-day operations, they are constantly evolving cloud services; in fact, sometimes adding hundreds of updates and new services every month! What matters to healthcare organizations as more and more move to the cloud, is understanding which of these services can be configured appropriately to store, transmit, or process protected health information (PHI) and personally identifiable information (PII).
So, if a service is HIPAA eligible it’s okay to use with PHI, right?
That’s where it gets a little complicated. The answer is yes, and no. Think of it this way. I can go to the store and get a bunch of ingredients to create a delicious Italian dinner like one I recently had at a trending restaurant. My ingredients might be chicken cacciatore eligible in that they are what is needed to create that dish. But I may not know how to use and assemble them to get to that end result. I may not know which technical controls to configure, or how. The same is true for cloud services.
A service that is HIPAA eligible is one that is capable of being configured in a way that could meet HIPAA compliance requirements, but you have to know how to do it, it doesn’t happen ‘out of the box.’
And it’s not just configuring it properly at deployment – you have to know how to keep it compliant for the lifetime of your application because data is not stagnant and is likely to drift in and out of compliance. So a service may be HIPAA eligible, but it is on the customer (or a partner they hire to help with this) to make it HIPAA compliant, which most healthcare organizations struggle with as it’s not their area of expertise… just like you can give me a kitchen counter full of food that could make chicken cacciatore, but it might not end up being that once I assemble it.
What goes into making a HIPAA-eligible service into a HIPAA compliant one?
You need a deep knowledge of healthcare regulations, as well as extensive cloud expertise, and the dedication and focus to stay in front of the wave of innovation by the three major cloud providers for the life of your application. The three have to be orchestrated together. You must be able to map and enable or disable technical controls available in the cloud to the various regulations in order to meet the criteria necessary to maintain compliance in your infrastructure.
What are HIPAA technical controls?
Here is a chart with examples of some technical controls. If you read through you can see what they are able to control. These services are not built exclusively for healthcare – they are built to be able to store, transmit, or process data, whether for banking, retail, finance, government, or healthcare. That doesn’t mean it’s doing it in a way that meets the complex regulatory requirements of healthcare right ‘out of the box.’
How does a healthcare organization know which technical control should be used to map to which regulation be it HIPAA, NIST or others?
That’s where the many customers who have come to us have previously struggled. The regulations don’t tell you. Because ClearDATA is a cloud expert and healthcare exclusive with HITRUST certification, we’ve spent nearly the last decade staying on top of this. Our ClearDATA Comply™ software gives stakeholders a constant view into which controls for each service map to the regulations as well as how we interpret the regulation to be sure the adequate level of privacy and security are being adhered to in order to maintain compliance. Here’s an example of how that can get complex for people who don’t do this full time, with examples from both HIPAA and GDPR:
- HIPAA 45 CFR 164.312(e)(1): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
- GDPR, Article 32, Section 1(a): Security of Processing – Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: The pseudonymization and encryption of personal data.
So, what do these really mean? They mean data (PHI or PII) in transit must be secured—but the regulations don’t specify how. The most broadly accepted control today is to encrypt the data using Transport Layer Security (TLS) . To do that, the organization would need to determine which cloud services their team is using have the TLS option for configuration. Then the organization has to figure out how to enforce that for the application data flows.
As a HITRUST certified organization, we understand the importance of protecting sensitive healthcare data and the risks and consequences that occur if the proper precautions are not put in place. Exclusive to healthcare and life sciences, we help hundreds of organizations harness healthcare data in the public cloud in a secure and compliant manner. As a result, these organizations can use the cloud to build innovative applications, whether transforming a member portal, building software as a medical device or using the cloud to uncover insights from a clinical trial faster. We don’t just understand HIPAA—we have expertise around numerous standards such as GDPR, GxP, NIST, and HITRUST.
Our expert interpretation of the regulations and deep knowledge of cloud services is the foundation of our software, ClearDATA Comply™, which enforces the relevant technical controls to keep PHI secure throughout the lifecycle of our customers’ applications.
How does this software – ClearDATA Comply – work?
ClearDATA Comply is a Software as a Service (SaaS) compliance management solution that helps healthcare organizations monitor and manage their privacy and compliance obligations in the public clouds: AWS, Azure, and Google Cloud.
Our mapping and opinionated stance is visible in the software, giving you a resource for auditors as well as documentation for your team. We have automated the controls, or safeguards to help maintain your compliance stature and set up alerts and remediation if you drift out of compliance.
Figure 2. See how technical controls map to different standards and certifications across numerous cloud services. Our expert interpretation is visible for your documentation purposes in our Compliance Dashboard.
With 230 technical controls automatically configured for more than 70 of the most commonly used cloud services, Comply gives you and your team the freedom to self-service any of the covered services without worrying about the potential impact of different actions your team takes. If you or your team takes an action that can compromise your security and compliance posture, we’ll prevent it and inform you as to why we made that decision.
Comply also provides a single view for you to see your compliance status across not just different accounts but across the different cloud platforms, too, via the Compliance Dashboard. You can also dig into the health of individual accounts to see the number of evaluations and remediations the software performs.
Comply is just one of three suites of products on our platform, in addition to our services and professional services consulting. Our customers come to us to take care of their security, privacy and compliance so they can focus on meeting and exceeding their business objectives without increasing their risk by trying to do all of this themselves.