alex_aldo - Fotolia
I recently saw news of a startup promising a secure storage application programming interface (API) for healthcare-related Web and mobile apps that supposedly offloads HIPAA requirements onto that company. First, is that really the case? And if so, is there any reason to select such a service instead of going with a HIPAA-compliant hosting provider?
Let's make one thing clear up front: HIPAA-covered entities or business associates can share compliance responsibility with another organization, but cannot offload compliance responsibility to another party. A covered entity remains responsible for the compliant treatment of any protected health information (PHI) it generates, even if it uses business associates to assist with its processing.
However, choosing partners to assist with security and compliance tasks can be a time-saving and cost-effective approach to achieving HIPAA compliance. In the case of a vendor providing a HIPAA-compliant data storage technology that offers an API, it relieves the company of the burden of building and maintaining that infrastructure itself. If there isn't an environment that stores ePHI, there isn't anything to secure. The responsibility that remains with the company is ensuring it chooses a HIPAA-compliant vendor and that it enters into a business associate agreement with the vendor that clearly outlines the roles and responsibilities of each party.
As far as using a vendor that offers a HIPAA-compliant storage API instead of using a HIPAA-compliant hosting provider, it will boil down to the classic "build vs. buy" decision. The API is probably going to cost more, but it also simplifies the necessary work. If you go with a hosting provider, you'll likely need to build your own HIPAA-compliant API on top of the infrastructure provided by your supplier. The API might put you a few steps ahead and allow you to get right down to building the app.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Does HIPAA require proof of PHI encryption? Mike Chapple answers.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading