Let me start by saying this isn’t a trivial ask of a very complex question, I’m already deep into this and I’m looking to see if anybody else has encountered this challenge and perhaps found a solution.
To start off, we have a solution already running on digitalocean and a new client would like to add some data that would be considered Protected Health Information (PHI), which would make us a Business Associate to their organization as a HIPAA covered entity. The general approach here is that we need to get a Business Associate Agreement (BAA) signed by our hosting provider, but DigitalOcean will not sign BAA agreements (Amazon will, but don’t want to go there). I didn’t want to give up, so I did some more digging.
I’ve gone through the HIPAA security requirements and it seems that having a BAA signed by the hosting provider is typically required to cover physical protection of the PHI stored on the hosting provider’s servers. My assertion is that if physical access to our servers cannot provide access to PHI, then we don’t need a BAA signed by DigitalOcean. Has anybody else had to dig into this and come to the same conclusion?
The physical risks I have identified so far include:
Any thoughts on risks that might be missing here?
I already have some thoughts on a number of these risks:
If I can build a solid list of risks and mitigation strategies, I’ll pull it together in a DigitalOcean Tutorial and hopefully our shared knowledge and expertise can make DigitalOcean a viable platform for HIPAA compliant solutions.
Thanks in advance for any help you might be able to offer.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Click below to sign up and get $200 of credit to try our products over 60 days!