The Fractional General Counsel
By: Steven Boyne
The Question of the Week: Is your Medical software provider using the Cloud to store data?
These days everyone is migrating to the Cloud. This exodus away from servers to the cloud is driven by the flexibility, security and pricing that Cloud services such as AWS (Amazon Web Services), Microsoft’s Azure, Google Cloud and IBM offer software developers. It is a pretty safe assumption that most healthcare software vendors are currently using the Cloud, or they plan on using the Cloud.
So, why do you want to ask that question? Because, believe it or not, most major cloud service providers do not offer HIPAA compliance by default. They can all be configured to be HIPAA compliant, and as far as the regulators are concerned it is up to the Covered Entity (i.e. the Healthcare provider) to enforce the compliance. If AWS or Azure has a data breach and your patient’s data is involved, then you can be held liable. To close this loophole, you should ask your software vendor (1) do they store data on the Cloud; and (2) if so, to provide evidence that they are configuring their interface and services with the Cloud provider to ensure HIPAA compliance. If the vendor doesn’t know the answer, or is unwilling to discuss how they utilize the tools available by the Cloud providers to make the Cloud HIPAA compliant, then it may be time to find another vendor.