HIPAA Security Rule Compliance Cloud Computing & SaaS Checklist for Covered Entities and Business Associates

HIPAA Security Rule compliance in the cloud for both Covered Entities (CE) and Business Associates (BA) can be an incredibly challenging and complex endeavor, ultimately requiring a clear roadmap for ensuring a comprehensive and efficient process with the Health Insurance Portability and Accountability Act (HIPAA). Flat Iron Technologies, LLC, North America’s leading provider of HIPAA policy compliance toolkits and professional consulting services, offers the following HIPAA Security Rule compliance cloud overview and checklist for Covered Entities and Business Associates seeking to store and transmit Protected Health Information (PHI) in the “cloud”:

1. Understand what HIPAA is and what it is not. The Health Insurance Portability and Accountability Act (HIPAA), while incredibly large and complex, can essentially be examined through the eyes of two (2) main standards: The HIPAA Security Rule and the HIPAA Privacy Rule. Though there are many other technical and legal sections within the actual HIPAA regulation, the vast majority of businesses can successfully obtain and maintain compliance by adhering to the Security Rule and Privacy Rule mandates. As for the Security Rule, it’s without question the most well-known section within the Health Insurance Portability and Accountability Act (HIPAA), one that’s been talked about, discussed, and turned inside out by consultants, healthcare professionals, and almost anybody else in the HIPAA field.

As for the HIPAA Privacy Rule, it’s somewhat more complicated than the Security Rule, is not as well-known or understood, yet is equally important from a HIPAA compliance standpoint. We’ve authored an extremely in-depth, multi-part white paper on the HIPAA Security Rule, which is available now online, and we’ve also provided a comprehensive overview of the HIPAA Privacy Rule – both of which are available on our HIPAA specific website, hipaapoliciesandprocedures.com. Learning about both the HIPAA Security Rule and HIPAA Privacy Rule is absolutely essential to ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Both the HIPAA Security Rule and the Privacy Rule come complete with prescriptive mandates on what’s needed for complying, as this is important to remember for helping mitigate HIPAA “scope creep” issues.

2. Enforcement is for Real. Starting with the HITECH Act, then moving on to the Final Omnibus Ruling of January, 2013, HIPAA has been given some serious regulatory compliance bite. That’s right, the days of non-compliance for both Covered Entities (CE) and Business Associates (BA) are long gone, replaced by strict edicts from the federal government who are handing out large fines throughout the country. HIPAA is for real – finally – and for good measure, as breaches of Protected Health Information (PHI) continue to skyrocket throughout every thinkable industry within North America.


Did you know that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has big plans for expanding its annual HIPAA compliance audits, so don’t be surprised if a letter lands in your mailbox from the federal government. Imagine auditors canvassing your entire business, going through files, asking for documents, conducting intense interviews – it’s happened to businesses already all throughout North America – so now’s the time to get serious about becoming compliance with the Health Insurance Portability and Accountability Act (HIPAA).

3. Assess your cloud environment in terms of how Protected Health Information (PHI) will be stored, processed and/or transmitted. It’s critically important to author a detailed narrative – along with developing necessary flowcharts and diagrams – depicting the lifecycle of Protected Health Information (PHI). Specifically, how does PHI enter an environment, how is it being stored, processed, and/or transmitted, what systems does it “touch” and interact with, along with other important considerations. You can’t protect what you don’t know you have, therefore documenting the movement of PHI is critical for ensuring its safety and security.

4. Determine existing compliance mandates and mapping of controls. Though HIPAA compliance, particularly the HIPAA Security Rule, is the heavyweight legislation of the healthcare industry, let’s not forget about the Payment Card Industry Data Security Standards (PCI DSS) compliance, along with SOC 1, SOC 2, FISMA, and ISO 27000. It just means that organizations may already have a marginal to meaningful number of controls, policies, procedures, and processes already in place, thus saving time and money regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA).

After all, who wants to spend hundreds of operational man-hours and thousands of dollars on regulatory compliance initiatives, especially if some of the hard work and heavy lifting has been done? Talk and communicate amongst your organization for seeing where synergies and efficiencies can be had regarding compliance. The better you communicate, the more money you’ll save, it’s just that simple.

5. Choosing the right vendor. There are numerous cloud providers claiming to be HIPAA compliant, and to be fair, a large number of them have undertaken all the necessary initiatives for ensuring adherence to the Security Rule and Privacy Rule provisions with the Health Insurance Portability and Accountability Act (HIPAA). Even with that said, doing your homework is essential to finding a provider that’s truly HIPAA compliant in the cloud. This means validating compliance with the HIPAA Safeguards of 164.308 to 164.316, along with any HIPAA Privacy Rule considerations that are applicable.

Cloud vendors should be able to provide a basic mapping template or product specification sheet detailing which of the HIPAA Security Rule safeguards they consider their responsibility for ensuring the safety and security of PHI – anything less would be considered unacceptable. A worthy consideration for showcasing HIPAA compliance would also consist of any of the following:

  • American Institute of Certified Public Accountants (AICPA) SOC 1 and/or SOC 2 Assessment. These can either be Type 1 or Type 2 assessments.
  • A HIPAA specific audit or exercise done in accordance with any number of best practices frameworks, such as HITRUST, NIST, etc. Similarly, many consulting firms offer HIPAA certification assessments also, which should be acceptable.
  • ISO 27000 compliance or certification, along with possible FISMA compliance in accordance with NIST SP 800-53 standards and guidelines.

6. The Profound Importance of Policies and Procedures. What’s often overlooked is the importance of information security and operational specific policies and procedures for HIPAA compliance. While we often speak about HIPAA in technical terms – firewalls, encryption, anti-virus, remote access – let’s not forget that the HIPAA Security and Privacy Rules require comprehensive documentation for compliance, and that’s putting it lightly. Stop and take a look at the mandates for documentation in accordance with HIPAA, and you’ll quickly see the need for sourcing an in-depth set of policies and procedures templates, or spend hundreds of precious, internal man-hours authoring them yourself. Developing HIPAA documentation is not an overnight process at all, especially considering the lengthy list of “standards” and “implementation specifications” required for compliance.

The HIPAA Security & Privacy Compliance Toolkits (HSPCT) provide all the necessary documentation for ensuring rapid and complete compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Bottom line: well-written, comprehensive documentation is one of the key ingredients for ensuring compliance with HIPAA, it’s really that simple. You can also download a Free Trial HIPAA Toolkit containing essential policies, procedures, forms, checklists, system hardening documents, and more by visiting hipaapoliciesandprocedures.com today. Let’s just say that authoring HIPAA policies and procedures on your own – while it can be done – is not recommended as there’s a much more cost-effective strategy to employ.

7. The importance of assessing and addressing specific federal mandates. When the phrase “HIPAA compliance” is mentioned, it’s often in the context of the HIPAA Security Rule – specifically – the following mandates within Subpart C, 164.308 to 164.316:

  • 164.308: Administrative Safeguards
  • 164.310: Physical Safeguards
  • 164.312: Technical Safeguards
  • 164.314: Organizational Requirements
  • 164.316: Policies and Procedures and Documentation Requirements

It’s therefore important to assess and understand the mandates for each of the aforementioned “safeguards” and applicable “requirements” in terms of their intent, scope considerations, and overall responsibility (i.e., the cloud provider, your organization, dual responsibility, or another third-party) for HIPAA compliance. In reality, all organizations should be compliant with various aspects – if not all – of the HIPAA Security Rule mandates, and to a limited degree, the HIPAA Privacy Rule mandates also.

8. Encryption at Rest and in Transit. What was once a luxury in the healthcare industry years ago is now an essential protocol for ensuring the safety and security of Protected Health Information (PHI) – we’re talking about encryption! Simply stated, data at REST and in TRANSIT must be protected by industry leading encryption technologies, no question about it. While some may laugh at the notion of an organization actually not using encryption – it’s happening, unfortunately – particularly when it comes to data at rest. Ensuring the safety and security of PHI is absolutely paramount in today’s world.

9. Security Awareness Training. Along with being a strict mandate for HIPAA compliance, security awareness training for employees and all other workforce members just makes sense from a best practices perspective, no question about it. Think about it, what’s one of the most efficient and cost-effective measures any business can take when it comes to training employees on essential security issues, concerns, threats, and best practices? With many available options for training – and, again, it being a mandate – there’s no excuse for not doing it. It’s what we call the “human element” at Flat Iron Technologies, LLC – the frontline of defense in today’s chaotic, complex, and cyber security driven world we live in. It essentially means that all the industry leading hardware and software tools are meaningless without properly trained employees, those capable of detecting and thwarting critical security concerns.

10. Monitoring. The true test of HIPAA compliance occurs long after the policies, procedures and processes are put in place - it’s ensuring they stay in place and are monitored as needed for validating the safety and security of Protected Health Information (PHI). It’s also one main reason why a designated HIPAA official should be anointed for such a task, as it’s highly needed for ensuring the continued success of HIPAA compliance.

11. Risk Assessments. It seems as if everything in today’s world of business is about assessing risk, and it’s why HIPAA – along with many other compliance edicts – requires organizations to perform an annual risk assessment. This is one area that definitely is overlooked by businesses – but it shouldn’t be, particularly cloud computing & SaaS vendors. Think about it. How can any business reasonably expect to survive, thrive, and prosper for the long-term without ever undertaking any type of reasonable risk assessment process on an annual basis? You talk about hiring new employees, raises, and other essential topics – which are all very important – but what about digging a little deeper and talking about risk?

12. Physical Security. Don’t forget about the physical security of servers and other information systems that are storing, processing, and transmitting Protected Health Information (PHI). While the actual HIPAA regulations are not very specific on what exact security mandates should be in place, best practices should include the following:

  • Adequate and sufficient building construction
  • Appropriately maintained vegetation
  • Access control systems and security alarms
  • Proper protocols for requesting entrance to facilities
  • Alarms
  • Documented processes & procedures for terminating employees
  • Destroying sensitive information in a safe & secure Manner.