This content is part of the Essential Guide: Navigating cloud computing regulations and compliance requirements

HIPAA-compliant data center: Secure with Business Associate Agreement

Terremark's Dr. Peter Tippett discusses the provider's HIPAA-compliant data centers and its HIPAA Business Associate Agreement for customers.

Health Insurance Portability and Accountability Act security requirements were established for physical infrastructure, not virtual and cloud environments.

Health care facilities that store personal health records have traditionally followed prescriptive guidelines on segregating sensitive patient data on separate servers. While other industries were moving to the cloud, many health care organizations stayed behind, believing that a cloud provider could never offer a Health Insurance Portability and Accountability Act (HIPAA)-compliant data center.

In this Q&A with, Dr. Peter Tippett, chief medical officer and vice president of Verizon's health care solutions group, discusses the two HIPAA-compliant data centers offered by Terremark Worldwide Inc., the cloud services subsidiary of Verizon. These new cloud services comply with privacy and security requirements, guaranteed by a HIPAA Business Associate Agreement.

How would a cloud provider develop a HIPAA-compliant data center? Does it begin with physical infrastructure, or policy?

Peter Tippett: For [Terremark], it's about policy. We took two of our largest and most robust existing data centers -- located in Miami and Culpeper, Va. -- that already hosted top-secret data and altered the policies slightly to map to the kind of privacy and security needs customers [require] to ensure compliance with HIPAA. We put all the employees in those facilities through HIPAA training, and worked with lawyers to determine whether we could sign a HIPAA Business Associate Agreement with any customer doing hosting, cloud computing or colocation with us.

How exactly will the HIPAA Business Associate Agreement be used between Terremark and the health care customer?

Tippett: Any entity -- like a hospital or insurance billing company -- that comes in contact with personal health record data has to sign a HIPAA Business Associate Agreement that spells out who, and when they will be responsible for ensuring privacy and security of certain data.

Our Business Associate Agreements with our new cloud offerings -- Enterprise Cloud, Enterprise Cloud Express Edition and Enterprise Cloud Private Edition -- will carry more liability on our side than if the customer was doing standard hosting with us.

What is Terremark doing in their HIPAA-compliant data center that differs from what other providers do in their secure data centers?

Tippett: The main thing is the security is extremely well documented and well tested. [The two Terremark data centers] have five layers of internal and external testing of all our security measures, along with every employee being HIPAA-trained who walks into any place in the data center that is HIPAA-compliant.

We also have a dedicated team that does nothing but manage the HIPAA compliance in the data centers, in addition to another group that overlays the HIPAA compliance team, which monitors for threats and attacks, while making sure the physical access to the data center is under control.

More on the HIPAA-compliant data center

Are there guidelines for creating a HIPAA-compliant data center?

HIPAA Business Associate Agreement key to data center migration

Ensuing HIPAA cloud computing compliance in the data center

How did Terremark establish the confidence to carry more liability for sensitive health care data in a cloud environment?

Tippett: In the HIPAA world, no third party can come in and determine a provider is 100% compliant with a prescriptive checklist. Every provider working with HIPAA regulations has a compliance officer -- an internal employee -- that carries out risk assessments and bears the responsibility of determining whether the provider is keeping up with the regulations.

Almost every [provider] does vulnerability assessments, but not risk assessments, which Verizon does through Cybertrust [the identity management company Verizon acquired in 2007]. We are so comfortable that our security is done well, that we will sign the HIPAA Business Associate Agreement with the hospital or health care facility.

Health care customers are notoriously cautious when it comes to the cloud. Is Terremark's secure data center guarantee -- backed by the HIPAA Business Associate Agreement -- attracting new customers in this industry?

Tippett: We've talked to many health care customers -- like hospitals and insurance companies -- that have to follow HIPAA rules and [we] have been incredibly surprised by how excited folks are. The regulations in this industry have been holding back health care customers, compared to industries like finance and retail.

After learning we will sign [the HIPAA Business Associate Agreement], [we expect] customers … to move 5,000 servers into [the HIPAA-compliant data centers] in the next year, or move in 1,000 applications. Reactions have been very positive; these customers are finally able to do colocation and hosting that their peers in other industries could do ten years ago.

Let us know what you think about the story; email: Gina Narcisi, News Writer and follow @GeeNarcisi on Twitter.

Dig Deeper on Telecommunication networking

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

A BAA is not enough. The OCR (Office of Civil Rights) has new guidelines created from the initial pilot audit program launched last year. These new guidelines are now being applied to business associates (hosting providers) as more federal audits are being conducted this year.

If your HIPAA hosting provider hasn't been independently HIPAA audited by the OCR guidelines, you should find a provider that has been in order to avoid a data breach and prove your due diligence. The older HITRUST standards are not the optimal guidelines for a HIPAA audit anymore.