Gaining HIPPA cloud certification

Our company converts both paper and electronic data to fully searchable PDFs.  We process in a cloud and want to know what is required for HIPPA certification.  

Scanned documents will be sent from a hospital to our cloud where our software classifies the documents as to type and removes duplicates.  The software then vastly enhances the OCR process and either the hospital or a 3rd party finishes the QC process.  The finished product is always returned to the originator and the result is a fully searchable PDF from either paper or electronic documents.  

Thanks for the assistance.
Jack blakeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
First, make sure you are going with a HIPAA compliant cloud provider, as HIPAA defines cloud providers as "associates." These are the minimum steps one should take -

Find a CSP that offers a HIPAA-compliant cloud offering. Ideally, they should be able to validate that they have met the HIPAA compliance requirements as defined by the Office for Civil Rights (OCR) through an independent audit.
Get your CSP to sign a Business Associate Agreement, which will ensure they take on appropriate responsibility for their side of HIPAA compliance.
Make sure that you connect the dots between your infrastructure and that of your CSP from a compliance standpoint. You don’t want to leave any security holes that might be exposed during data transfer.
Compliant does not always mean secure. If you want to prevent costly notification in the event of a breach, make sure your data is encrypted, and that you hold and maintain your encryption keys.
Also familiarize yourself with the recently updated breach notification guidelines, and remember that HIPAA compliant does not mean secure. I'd work with intrusion detection services or software to do some initial security testing as well to cover your butt in case of a breach. The Department of Health and Human Services doesn't take breaches lightly, especially after the recent Chinese hacking fiasco.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joe Winograd, Fellow&MVEDeveloperCommented:
I'm sure you mean HIPAA (Health Insurance Portability and Accountability Act), not HIPPA. A good place to start is the HHS website itself. Here is a link to all the regulatory standards in a single document — very convenient:

The summaries at the site are also helpful:

Summary of the HIPAA Privacy Rule

Summary of the HIPAA Security Rule

There are plenty of third-parties that can help, but the HHS site itself has a wealth of information. Regards, Joe
Joe Winograd, Fellow&MVEDeveloperCommented:
Hi Jack,
I'm trying to clean up some open questions and noticed that we haven't heard from you in two months on this one. Please let us know where things stand. If the info that Brad and/or I provided is sufficient, please select the solution(s) and close the question; if not, please let us know where it comes up short. Thanks very much, Joe
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Guy Hengel [angelIII / a3]Billing EngineerCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Joe Winograd, Fellow&MVEDeveloperCommented:
The question is: "We process in a cloud and want to know what is required for HIPPA certification."

The answer was provided by both experts. First, Brad's post is excellent, especially the comment to go "with a HIPAA compliant cloud provider". Everything else in his post is spot-on and deserves to be the Accepted Solution.

My post also contains answers to the question, pointing out that what is required for HIPAA certification is contained in the regulatory standards published at, including both the HIPAA Privacy Rule and the HIPAA Security Rule.

In summary, I recommend this:

Brad's post https:#a40283006 should be the Accepted Solution for 300 points.

My post https:#a40283040 should be an Assisted Solution for 200 points.

Regards, Joe
Joe Winograd, Fellow&MVEDeveloperCommented:
Thank you, thermoduric — much appreciated! Regards, Joe
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office Productivity

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.