alex_aldo - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Comparing HIPAA-compliant hosting methods

Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.

I recently saw news of a startup promising a secure storage application programming interface (API) for healthcare-related Web and mobile apps that supposedly offloads HIPAA requirements onto that company. First, is that really the case? And if so, is there any reason to select such a service instead of going with a HIPAA-compliant hosting provider?

Let's make one thing clear up front: HIPAA-covered entities or business associates can share compliance responsibility with another organization, but cannot offload compliance responsibility to another party. A covered entity remains responsible for the compliant treatment of any protected health information (PHI) it generates, even if it uses business associates to assist with its processing.

However, choosing partners to assist with security and compliance tasks can be a time-saving and cost-effective approach to achieving HIPAA compliance. In the case of a vendor providing a HIPAA-compliant data storage technology that offers an API, it relieves the company of the burden of building and maintaining that infrastructure itself. If there isn't an environment that stores ePHI, there isn't anything to secure. The responsibility that remains with the company is ensuring it chooses a HIPAA-compliant vendor and that it enters into a business associate agreement with the vendor that clearly outlines the roles and responsibilities of each party.

As far as using a vendor that offers a HIPAA-compliant storage API instead of using a HIPAA-compliant hosting provider, it will boil down to the classic "build vs. buy" decision. The API is probably going to cost more, but it also simplifies the necessary work. If you go with a hosting provider, you'll likely need to build your own HIPAA-compliant API on top of the infrastructure provided by your supplier. The API might put you a few steps ahead and allow you to get right down to building the app.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Does HIPAA require proof of PHI encryption? Mike Chapple answers.

This was last published in September 2014

Dig Deeper on HIPAA

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.