[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 33
  • Last Modified:

Gaining HIPPA cloud certification

Our company converts both paper and electronic data to fully searchable PDFs.  We process in a cloud and want to know what is required for HIPPA certification.  

Scanned documents will be sent from a hospital to our cloud where our software classifies the documents as to type and removes duplicates.  The software then vastly enhances the OCR process and either the hospital or a 3rd party finishes the QC process.  The finished product is always returned to the originator and the result is a fully searchable PDF from either paper or electronic documents.  

Thanks for the assistance.
Jack blake
Jack blake
  • 4
2 Solutions
Brad GrouxCommented:
First, make sure you are going with a HIPAA compliant cloud provider, as HIPAA defines cloud providers as "associates." These are the minimum steps one should take -

Find a CSP that offers a HIPAA-compliant cloud offering. Ideally, they should be able to validate that they have met the HIPAA compliance requirements as defined by the Office for Civil Rights (OCR) through an independent audit.
Get your CSP to sign a Business Associate Agreement, which will ensure they take on appropriate responsibility for their side of HIPAA compliance.
Make sure that you connect the dots between your infrastructure and that of your CSP from a compliance standpoint. You don’t want to leave any security holes that might be exposed during data transfer.
Compliant does not always mean secure. If you want to prevent costly notification in the event of a breach, make sure your data is encrypted, and that you hold and maintain your encryption keys.
Also familiarize yourself with the recently updated breach notification guidelines, and remember that HIPAA compliant does not mean secure. I'd work with intrusion detection services or software to do some initial security testing as well to cover your butt in case of a breach. The Department of Health and Human Services doesn't take breaches lightly, especially after the recent Chinese hacking fiasco.
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
I'm sure you mean HIPAA (Health Insurance Portability and Accountability Act), not HIPPA. A good place to start is the HHS website itself. Here is a link to all the regulatory standards in a single document — very convenient:

The summaries at the site are also helpful:

Summary of the HIPAA Privacy Rule

Summary of the HIPAA Security Rule

There are plenty of third-parties that can help, but the HHS site itself has a wealth of information. Regards, Joe
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
Hi Jack,
I'm trying to clean up some open questions and noticed that we haven't heard from you in two months on this one. Please let us know where things stand. If the info that Brad and/or I provided is sufficient, please select the solution(s) and close the question; if not, please let us know where it comes up short. Thanks very much, Joe
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Guy Hengel [angelIII / a3]Billing EngineerCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
The question is: "We process in a cloud and want to know what is required for HIPPA certification."

The answer was provided by both experts. First, Brad's post is excellent, especially the comment to go "with a HIPAA compliant cloud provider". Everything else in his post is spot-on and deserves to be the Accepted Solution.

My post also contains answers to the question, pointing out that what is required for HIPAA certification is contained in the regulatory standards published at HHS.gov, including both the HIPAA Privacy Rule and the HIPAA Security Rule.

In summary, I recommend this:

Brad's post https:#a40283006 should be the Accepted Solution for 300 points.

My post https:#a40283040 should be an Assisted Solution for 200 points.

Regards, Joe
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
Thank you, thermoduric — much appreciated! Regards, Joe

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now