Are you sure your product is HIPAA compliant?

Anybody can, and many companies do, put “HIPAA Compliant” on their websites and marketing material. Complying with HIPAA is essential to selling software that processes, stores, transmits, or somehow touches ePHI. It’s an essential, though non-differentiating, feature of any B2B healthcare technology product.

The reason companies can self-attest to being HIPAA compliant is that there isn’t a certifying body, or accompanying certification, for HIPAA. That’s problematic for both vendors making and selling healthcare software to enterprises and enterprises buying software from third party vendors.

To be truly HIPAA compliant, you will need both technology settings and policies to prove compliance. You need to assure technology (things like backup and DR) and internal procedures (things like training) are in line.

In the end, the path you choose to prove HIPAA is up to you and will be driven by your available resources, both financial and human.

This HIPAA worksheet is meant to illuminate the cloud requirements of HIPAA that you need to plan for in your own digital health product. A more comprehensive risk assessment, such as the HITRUST CSF Self-Assessment, is also necessary. Use this checklist to understand what compliance controls are needed, and assess your compliant state at several cloud layers:

- The Physical Layer
- The Operating System and Application Layers
- The Administrative Layer

Once you’ve completed this checklist you’ll have a much better understanding of what it will take to be HIPAA compliant in the cloud.