HIPAA Compliant Cloud Applications Demystified

HIPAA Compliant Cloud Applications Demystified

When handling Personally Identifiable Information (PII) or Protected Health Information (PHI), you’re required to comply with the Health Insurance Portability and Accountability Act (HIPAA.)

Here we’ll guide you through all the steps to find a HIPAA-compliant cloud host, sign a Business Associate Agreement with them, and create the documentation, policies, and procedures you’ll need to have to launch a HIPAA-compliant applications.

Finding HIPAA compliant cloud host.

Popular cloud services providers such as Amazon Web Services, Google Cloud Platform, and Azure offer HIPAA compliant hosting. These cloud hosts will be suitable for most applications and organizations with proper HIPAA compliance policies in place.

Outside of the popular providers there is a category that specializes in different compliance practices such as HIPAA. Cloud providers such as Armor Cloud offer specialized services that include active security scans and incident response teams on call twenty-four hours a day and seven days a week when an incident comes up.

Sign a Business Associate Agreement with the cloud hosting provider.

To ensure HIPAA compliance when using a hosting provider, it is crucial to sign a Business Associate Agreement (BAA) with them. A BAA is a legal contract that outlines the responsibilities and obligations of both the hosting provider and the covered entity (i.e., the healthcare provider or organization). This agreement confirms that both parties are HIPAA-certified and agree to follow all protocols and procedures necessary to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII). It is worth noting that signing a BAA is mandatory for HIPAA compliance, and many major cloud hosting providers have web pages and onboarding flows to streamline the process.

  1. Major cloud hosting providers offer web pages and onboarding flows to get a BAA signed with them.
  2. Signing the BAA is mandatory for HIPAA compliance. It acknowledges that both you and the provider are HIPAA-certified and will be following all protocols and procedures necessary to protect PII (personally identifiable information) and PHI (protected health information).

Sign a BAA with your partners

When entering into partnerships it’s important to ensure that all parties involved sign a business associates agreement. Partners cannot get a business associates agreement assigned on your behalf, but they can sign their own business associates agreement with you. You still must follow all protocols and procedures when dealing with PII and PHI. The business associates agreement with your partners ensures they acknowledge that they are also hipa certified and will follow all best practices to protect PII and PHI. Ensure that your partners have proper documentation in place demonstrating that they have been Hipa certified and that they have the appropriate policies and procedures documented and in place to protect PII and PHI

  1. Partners cannot get a BAA assigned on your behalf, but rather can sign their own BAA agreement with you. You still must follow all protocols and procedures when dealing with PII/PHI. The BAA with the developer makes them acknowledge that they are also HIPAA certified and will follow all best practices to protect PII/PHI during application development.
  2. Be sure to check with your development team to ensure they have proper documentation in place demonstrating that their developers have been HIPAA-certified and that they have the appropriate policies and procedures documented and in place to protect PII/PHI.

Ensure you have all of the proper documentation for security policies and procedures. These include:

  1. Who your HIPAA Security / Compliance Officer is.
    1. This is going to be the person held accountable for making sure all documentation, policies and procedures are up to date and followed. This person will also be accountable for ensuring any team members with access to PII/PHI are HIPAA-certified.
  2. A Risk Assessment
    1. Your risk assessment must be done annually, and DHHS reviewed quarterly, in order to ensure that any software, technology, hardware, services, procedures, or changes to staff or office spaces remain HIPAA-compliant.
  3. A Physical Access Policy
    1. You must ensure that either no PII/PHI is stored on your work or development machines, or that you have physical access policies in place to ensure this information is secured at all times.
    2. At NO POINT should someone who is not HIPAA certified be able to access machines or devices with PII/PHI on them.
  4. Confidentiality Policy
    1. Anyone with access to PII/PHI MUST agree that this information will be used on an as-needed basis and will remain confidential at all times.
    2. It may not be stored or archived or for personal use for any reason unless explicitly approved and within HIPAA policy guidelines.
    3. Adherence to this policy must be strictly enforced, and employees must agree to this in writing.
  5. Policies surrounding electronic PHI (e-PHI)
    1. e-PHI storage and transfer within your organization must either be forbidden or strictly safeguarded with access restrictions and an agreement to not access or store the PHI on development machines for any reason.
    2. Employees must also be forbidden from using personal devices to access PHI.
    3. Violation of these policies will result in immediate termination of the employee and reporting of the incident to relevant BAA partners.
  6. Patient request for disclosures made by the company
    1. If there is a request made by a patient for specific PII/PHI disclosures made by the company, the company must be able to process that request if they are the owners of that PII/PHI.
  7. Patient requests for restricting PII/PHI paid for “out of pocket”
    1. Patients have the right to restrict access to their information if it was paid for “out of pocket”.
    2. If this is relevant to the company, it must be addressed in the BAA and the company must comply with these requests per the BAA agreement.
  8. Policy regarding charging for e-copies of medical records
    1. Organizations may charge only a $6.50 flat fee for e-copy medical record requests, and must comply with these requests if received.
  9. Business Continuity
    1. This can be made part of your disaster and recovery plan.
    2. Should unforeseen circumstances occur, such as natural disaster, critical events, or the business no longer being functional, your HIPAA policies and procedures must address how PII/PHI will be kept safe and no longer accessible should this occur.
  10. HIPAA Incident / Breach Investigation
    1. Should an incident occur in which a patient’s PII/PHI MAY have been compromised, you must have a policy in place for establishing an Incident Response Team (IRT) to investigate if the incident rises to a level of a breach.
    2. If so, it must be immediately reported and actions to remediate the cause of the breach must immediately take place.
  11. Sanction Policy
    1. This policy must cover the training and requirements for working with PII/PHI in a HIPAA-compliant environment as well as the policy for sanctioning employees who violate these policies.
  12. Document Retention Policy
    1. This document should explain how and for how long any HIPAA compliance documentation should be stored.
    2. This refers to your own HIPAA compliance documents, not to PII/PHI. But it may cover how PII/PHI is handled in your organization.
  13. Access Control Policy
    1. This policy document should dictate how individuals and user accounts are granted permissions to access systems which may contain PII/PHI and how those are managed and revoked.
  14. Signature and Acknowledgement
    1. Each and every employee with potential access to PII and or PHI or working within a HIPAA-compliant environment must understand all of these documents and this information fully and give a full acknowledgment that they agree to adhere to those policies. This acknowledgment and any HIPAA training or certifications received should be validated with the organization’s HIPAA compliance officer.

Setup Sandboxed and Local Development Environments

This step is not required but should be when developing Hipa compliant application. This highly recommended step involves creating or cloning all the functionalities into a separate sandboxed environment without access to PII or PHI.

With a sandboxed environment, developers can comfortably work within the application and debug issues without interacting with any sensitive data. To achieve this, authorized personnel can run scripts to mask or scrub the data in a way that no longer qualifies as PII or PHI. This includes scrubbing private notes, addresses, names, date of birth, blood types, information on relatives, dependents, social security numbers, mother’s maiden name, credit card numbers, payment information, and email addresses and other PII and PHI data points is crucial.

Setting up these environments ensures that your partners do not have to access PHI or PII data when debugging production issues.

Creating Secure Production Environments for HIPAA Compliance

HIPAA-compliant Production environments must be separate from development environments to maintain data security.

Additional security measures like storing application access keys, credentials, or environment variables in secure keychains is highly recommended. Keychains allow the application to run without anyone having access to the credentials.

Regulary auditing your source control goes a long way in avoiding costly data breaches. For example, production or any other environment intended for PII and PHI data should never have their Access Keys stored in your source control. These Access Keys would grant outside parties access to the PII and PHI data.

Only trusted partners with a Business Associates Agreement should have access to the production environment since it will contain PII and PHI.

Using Encryption Services to Protect PII/PHI

Encryption is an essential aspect of protecting sensitive data in your application. You should encrypt data at all stages, including while in transit, on web servers, mobile devices, and in databases (remove PII and PHI from a device immediately after it is no longer required.).

Using encryption services for PII and PHI is highly recommended, and government-standard encryption like 128-bit AES or better is preferred. In addition, encryption is required for all data “at rest,” which means that data must remain encrypted when not actively used in your web or mobile application.

Ensure HTTPS certificates are in place to secure communication channels. This will help prevent man-in-the-middle attacks, which can potentially compromise your systems.

Regularly Update Credentials

  1. Updating credentials regularly is a crucial practice to ensure the security of PII and PHI. In addition, quarterly is a best practice for rotating access keys to API services and passwords..
  2. Password changes help minimize the risk of web service or infrastructure compromises, such as unauthorized access to PII and PHI from individuals no longer authorized or certified to handle such data..
  3. Updating your credentials is just one of the ways you can take proactive measures to stay compliant within HIPAA regulation guidelines.

Run Security Audits using Third Party Vendors

  1. To ensure the highest level of security for your Hipa-compliant application, you will need security audits conducted by an independent third-party vendor. Internal security audits during the development process are essential, but independent third-party audits offer a specialized skill set and neutral perspective. .
  2. Penetration testing and vulnerability scanning are some of the components of a security audit that identify any potential security gaps. Once identified, they will outline the issue, and it is you to you and your team to resolve in a timely fashion. It goes without saying that vulnerabilities must be resolved before launch.

Employee Training

  1. It is crucial to train your organization and employees to become HIPAA-certified and maintain their HIPAA certifications, either annually or bi-annually.
  2. Training records should be kept and certificates made available in case of requests.


Visit https://www.hhs.gov/hipaa to find answers to frequently asked questions for Business Associates.

Expert Consultation

If you require HIPAA-compliant cloud or mobile applications and wish to collaborate with HIPAA certified development partners drop us a line

Trending Articles

Let's create something amazing.

Coffee Much?

Built in center of everything 🌎 Indianapolis, IN.

Privacy Policy