Re: Is HIPAA compliance on Google App Engine possible?
1,034 views
Skip to first unread message
Chad Vincent
Feb 7, 2013, 2:22:04 PM2/7/13
to google-a...@googlegroups.com
1) No product can ever be "HIPAA Compliant", as end-user policies (in this case, how you design your app to protect the data, allow access, etc.) can allow breaches no matter how much HIPAA was taken in consideration when the software (GAE) was written.
2) If you're going to write a web application that involves HIPAA-covered information, you should probably already be better versed in compliance than this question suggests. I suggest some more research.
3) Consult a lawyer. Cover your bases.
Nick Steele
Jan 29, 2014, 2:54:20 PM1/29/14
to google-a...@googlegroups.com
To be HIPAA OMNIBUS compliant (the OMNIBUS is the final HIPAA law that was put into effect on Sept 23rd, 2013), you must have a signed BAA (Business Associate Agreement) with each associate that handles PHI (Protected Health Information). This means if you host your app on GAE (Google Apps Engine), Google *MUST*, in order to be HIPAA compliant, sign a BAA with you, describing what part of HIPAA they will take responsibility for.
In dealing with PHI, you need to concern yourself with HIPAA and the HITECH act of 2009. There are many overviews online that describe the laws and their requirements.
Currently, Google signs BAAs for Google Apps, but currently NOT for GAE, they will likely not do this for a number of years because much of GAE is still experimental and subject to change.
AWS (Amazon Web Services) does sign BAAs and has very similar services to GAE, and, no knock to Google here, because GAE is going to be incredible when it's stable, but AWS is already stable and has a very proven track record, it scales like GAE and has very similar features, most people currently go with AWS. You can also contact Rackspace, Edgeweb, OnlineTech or Atlantic.net (and I'm sure many others). They will all sign BAA agreements and host your PHI.
Once you have a BAA agreement that covers storage and backup, etc. You only need to worry about encrypting the transport of PHI using SSL, and controlling unauthorized access. All of the hosts I mentioned above will work with you to figure out what specifically you must do to produce a HIPAA compliant final product. You can also pay about $250-$1,250 (depending on scope) for a HIPAA compliance audit, and a tech will talk with you about your code, check your config settings, verify your setup, etc., and sign off that based on the information you provided, you appear compliant, or tell you what you still need to do.
In my opinion, unless you're a large corporation, you don't need to hire a full time lawyer for simple HIPAA compliance. It's really not that complex, especially since hosts handle everything but transport and access concerns, which they walk you through anyway.
Prices I've gotten for shared HIPAA hosting through dedicated server hosting ranged from $160/mo to $1500/mo with the above hosts. The costs include lots of backups, encryption licenses for MySQL, encrypted drives, special audits for their server rooms, and insurance to cover HIPAA risks. In almost all cases, it's a lot cheaper to go with a HIPAA host than to host a server yourself, and it's much, much cheaper to host PHI correctly than to skimp now and pay a minimum $50,000 fine for not being compliant later.
On Wednesday, February 6, 2013 8:22:49 PM UTC-5, MDS wrote:
Prices I've gotten for shared HIPAA hosting through dedicated server hosting ranged from $160/mo to $1500/mo with the above hosts. The costs include lots of backups, encryption licenses for MySQL, encrypted drives, special audits for their server rooms, and insurance to cover HIPAA risks. In almost all cases, it's a lot cheaper to go with a HIPAA host than to host a server yourself, and it's much, much cheaper to host PHI correctly than to skimp now and pay a minimum $50,000 fine for not being compliant later.
Hope some of that helps! :)
On Wednesday, February 6, 2013 8:22:49 PM UTC-5, MDS wrote:
Hello everyone,
I am curious if it is possible to implement a HIPAA compliant application on Google App Engine, or if the way Google App Engine is setup it is not possible to be HIPAA compliant?
I have read the restrictions in the terms of the agreement, stating "Customer acknowledges that the Service is not HIPAA compliant and Customer is solely responsible for any applicable compliance with HIPAA."
I am unsure if this means it is NOT compliant at all or if a specific implementation of an application can be compliant.
Thanks!
PK
Feb 7, 2014, 1:51:17 AM2/7/14
to google-a...@googlegroups.com, Nick Steele
It seems there has been a recent positive development on this front, Google now signs BAAs for GCP as well that includes GAE if I understand correctly.
I would like to hear more on how this works and what are the costs involved.
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages