Will your cloud be HIPAA compliant?

The medical business, due to its geographically disperse nature, seems like a clear candidate for cloud based services. Just about every medical office I've dealt with, as a patient, parent, or consultant, has had some form of complaint about the nature of the IT services delivered to their practice. Even the large practices attached to universities and teaching hospitals always seem to put IT in the necessary evil category, rather than as a chance for business enhancement.

But the Health Insurance Portability and Accountability Act (HIPAA) means that the security of medical data is an absolute necessity for any vendor that deals with medical information. And this isn't just a set of suggestions; datacenters have to meet very strict standards for data protection to be HIPAA certified. The certification steps range from specific training for datacenter workers who have access to protected data, to government audits by HIPAA inspectors that assure that the requirements in the Code of Federal Regulations are met. Additional reporting requirements are required and guarantees must be in place for the security of the data. Breaching those guarantees can result in a variety of penalties.

The problem that cloud service providers will face in delivering services to the medical industry is that each datacenter that holds any patient data will technically need to be HIPAA certified. So there is no simple way of making sure that identifiable components of the patient data will ever be exposed when that data may be distributed throughout the cloud.  This doesn't mean that their won't be HIPAA certified clouds, it just means that the broad promise of cloud delivered services being able to be a best of breed choice from among all available selections won't be one that will be available to medical services that need to deal with patient data.

But this is America, and where there is a perceived need there will be vendors who will supply that need.  Datacenter providers like Colocation America, who just announced the HIPAA certification of their datacenters, will undoubtedly team up with other datacenter providers to begin to offer networks of HIPAA certified datacenter back ends to enable application service providers to offer their services to hospitals and medical practices throughout the country.