Archive for February, 2014

HIPAA and The Cloud from a Startup’s Perspective

As someone who wants to build a great healthcare app I am dumbfounded by the effect of HIPAA.  Of course this app will be built on the latest and greatest technology, such as “The Cloud” and mobile.  But as I navigate the waters of the implications of HIPAA I question if targeting healthcare is really worth it.

Over the years we have seen startups create great apps in a variety of categories from social media to games to navigation.  Much of this was possible due to low startup costs.  Cloud services allowed these innovative companies to buy what they need at very reasonable costs.  The days of paying ten thousand dollars for a couple of servers were gone.  A server could be had for $25/mo.

Recent changes in the HIPAA law become a real challenge to the startup.  Whereas the prior law was somewhat vague as to whether a cloud provider needed to be involved as a business associate (one held responsible for privacy of data), the new law strongly infers that cloud providers are a business associate.  So, if a startup wants to build a healthcare app on Amazon Web Services, the startup must have Amazon sign a business associate agreement (BAA).

That’s all well and good, but I see inconsistencies.  The HIPAA laws are complicated (and I don’t pretend to understand them).  I’m not sure if the cloud providers do either.  As I explored some providers I find a wide range of inconsistencies.   For example, consider encryption of private healthcare information (PHI) as stored in a database.  Some providers require it and some don’t.

So far I have looked into three cloud providers and here are the difficulties of each from a startup’s perspective:

Amazon Web Services (AWS) – Amazon will only sign a BAA if dedicated instances are used.  A dedicated instance is roughly 30 times more expensive than a non-dedicated instance.  This will, by itself, eliminate AWS from consideration by startups as a $50/month server becomes $1500/month.

Our Prior ISP (Navisite) – Navisite was very reliable for us over the years as we used them for managed services.  However, to build a HIPAA compliant system would minimally add thousands of dollars a month in costs.

Google Cloud – Earlier this month (Feb 2014) Google announced a willingness to sign BAAs.  According to a Google rep, Google Compute Engine and Google storage are HIPAA compliant.  However, what I find strange is the process one must go through to have a BAA signed.  The app must first be installed in the Google Cloud and then Google evaluates the app.  This seems a little backwards to me.  Before an app is architected, Google should be able to determine if it meets its requirements.  And since Google has a history of changing its mind (in terms of apps its supports), I would be hesitant to build anything on Google technology without an understanding in advance.

Microsoft Azure  – I still have to check on Azure.  I will update this post when I learn more.

The good news is that we are early in the process and can take the new HIPAA laws into account.  I can see how retrofitting an older application could be very difficult.

We will also have to divert some of our crucial capital to lawyers and consultants to help us navigate the waters of HIPAA.

For those startups that are seeking HIPAA compliance on a cloud platform I have one piece of advice.  Speak to the provider in advance and determine their specific requirements for signing a BAA.  Then you can make the correct decision as to how to proceed.

Advertisements

February 28, 2014 at 2:36 pm Leave a comment


RSS Twitter Timeline

  • An error has occurred; the feed is probably down. Try again later.
February 2014
S M T W T F S
« Dec   Jun »
 1
2345678
9101112131415
16171819202122
232425262728