Essential Steps to HIPAA-Compliant Cloud Hosting

HIPAA is a United States National standardized act that prevents the misuse of a patient’s health information. Every single health−related enterprise in the US must abide by these regulations. Being HIPAA compliant in the context of the cloud requires complying to following a set of rules and ensuring no data leakage occurs. These rules summarized are −

  • Encrypting non−dynamic data.

  • Having a trail of audits.

  • Making sure no data is lost

  • Ensuring high (ideally 100%) Availability

  • Robust, layered security controls and Identity Management

  • Multifactor authentication for access controlling

  • Use of Encrypted VPNs

  • A Business Associate Agreement (BAA) is mandatory

  • Additionally, SSL certificates and SSAE 18 certificates are recommended.

Steps for becoming HIPAA-Compliant

Although one can never say for certain whether a website is HIPAA compliant or not because there is no official HIPAA certification, there are still some important actions to follow in pursuing HIPAA Compliance.

Step 1 − Have a Robust Firewall and Security Management System.

HIPAA Compliance requires system−wide firewalls, as well as an Identity Management system and Multifactor authentication for access. For this purpose, it may be a better idea to use a HIPAA−compliant Infrastructure as a Service to handle the security.

Step 2 − Avoid the Usage of Public or Hybrid Clouds

Using public clouds often leads to many security vulnerabilities. To avoid those, it is better to get a dedicated server.

Step 3 − Secured communications through VPNs

The entire process of sending and receiving data should be secured through an encrypted VPN tunnel.

Step 4 − Auditing of every action performed

Every action performed on the data must be securely audited, documented, and stored in a ledger

Step 5 − Ensuring 100% availability

Another check of the HIPAA guidelines is that there should be a 100% uptime of the server so that patients and hospitals can have 24x7 access to the data, with no interruption whatsoever. For this, it is always recommended to have one or more servers serving as an extra, just so that if one server fails, there is still no downtime.

Step 6 − Agreements and Certifications

HIPAA requires that the Business Associates, i.e., the developers, sign an agreement with the entities, i.e., the HealthCare Business using their services. This agreement is known as the BAA and must have responsibilities for the BA to ensure complete protection of the data, the BA shall not use any of the data stored, and the BAA follows all the required HIPAA regulations.

SSL Certificate − Secure Sockets Layer (SSL) is a digital certificate that authenticates a website’s identity.

SSAE Certificate − The Statement on Standards for Attestation Engagements 18 Certificate is a service standard for auditing organizations

Step 7 − Backing up data

HIPAA also requires that the non−dynamic data must be secured and stored at an offsite location that is also HIPAA Compliant.

Step 8 − Disposal of Data

Data that is no longer of use should be deleted so there is no chance of recovering it.

Step 9 − Periodic assessments

All of the above steps must be periodically assessed, and the assessment process must be well documented.


HIPAA Compliance can initially seem quite troublesome, but it is just about having secure data and maintaining the patient's privacy. These security features are pretty industry standard for any application, not just healthcare applications. These can also be automated, but as an extra measure, it is recommended for a human to supervise these factors.