Health Insurance Portability and Accountability Act security requirements were established for physical infrastructure, not virtual and cloud environments.
Health care facilities that store personal health records have traditionally followed prescriptive guidelines on segregating sensitive patient data on separate servers. While other industries were moving to the cloud, many health care organizations stayed behind, believing that a cloud provider could never offer a
In this Q&A with SearchCloudProvider.com, Dr. Peter Tippett, chief medical officer and vice president of Verizon's health care solutions group, discusses the two HIPAA-compliant data centers offered by Terremark Worldwide Inc., the cloud services subsidiary of Verizon. These new cloud services comply with privacy and security requirements, guaranteed by a HIPAA Business Associate Agreement.
How would a cloud provider develop a HIPAA-compliant data center? Does it begin with physical infrastructure, or policy?
Peter Tippett: For [Terremark], it's about policy. We took two of our largest and most robust existing data centers -- located in Miami and Culpeper, Va. -- that already hosted top-secret data and altered the policies slightly to map to the kind of privacy and security needs customers [require] to ensure compliance with HIPAA. We put all the employees in those facilities through HIPAA training, and worked with lawyers to determine whether we could sign a HIPAA Business Associate Agreement with any customer doing hosting, cloud computing or colocation with us.
How exactly will the HIPAA Business Associate Agreement be used between Terremark and the health care customer?
Tippett: Any entity -- like a hospital or insurance billing company -- that comes in contact with personal health record data has to sign a HIPAA Business Associate Agreement that spells out who, and when they will be responsible for ensuring privacy and security of certain data.
Our Business Associate Agreements with our new cloud offerings -- Enterprise Cloud, Enterprise Cloud Express Edition and Enterprise Cloud Private Edition -- will carry more liability on our side than if the customer was doing standard hosting with us.
What is Terremark doing in their HIPAA-compliant data center that differs from what other providers do in their secure data centers?
Tippett: The main thing is the security is extremely well documented and well tested. [The two Terremark data centers] have five layers of internal and external testing of all our security measures, along with every employee being HIPAA-trained who walks into any place in the data center that is HIPAA-compliant.
We also have a dedicated team that does nothing but manage the HIPAA compliance in the data centers, in addition to another group that overlays the HIPAA compliance team, which monitors for threats and attacks, while making sure the physical access to the data center is under control.
More on the HIPAA-compliant data center
Are there guidelines for creating a HIPAA-compliant data center?
HIPAA Business Associate Agreement key to data center migration
Ensuing HIPAA cloud computing compliance in the data center
How did Terremark establish the confidence to carry more liability for sensitive health care data in a cloud environment?
Tippett: In the HIPAA world, no third party can come in and determine a provider is 100% compliant with a prescriptive checklist. Every provider working with HIPAA regulations has a compliance officer -- an internal employee -- that carries out risk assessments and bears the responsibility of determining whether the provider is keeping up with the regulations.
Almost every [provider] does vulnerability assessments, but not risk assessments, which Verizon does through Cybertrust [the identity management company Verizon acquired in 2007]. We are so comfortable that our security is done well, that we will sign the HIPAA Business Associate Agreement with the hospital or health care facility.
Health care customers are notoriously cautious when it comes to the cloud. Is Terremark's secure data center guarantee -- backed by the HIPAA Business Associate Agreement -- attracting new customers in this industry?
Tippett: We've talked to many health care customers -- like hospitals and insurance companies -- that have to follow HIPAA rules and [we] have been incredibly surprised by how excited folks are. The regulations in this industry have been holding back health care customers, compared to industries like finance and retail.
After learning we will sign [the HIPAA Business Associate Agreement], [we expect] customers … to move 5,000 servers into [the HIPAA-compliant data centers] in the next year, or move in 1,000 applications. Reactions have been very positive; these customers are finally able to do colocation and hosting that their peers in other industries could do ten years ago.