Let me start by saying this isn’t a trivial ask of a very complex question, I’m already deep into this and I’m looking to see if anybody else has encountered this challenge and perhaps found a solution.
To start off, we have a solution already running on digitalocean and a new client would like to add some data that would be considered Protected Health Information (PHI), which would make us a Business Associate to their organization as a HIPAA covered entity. The general approach here is that we need to get a Business Associate Agreement (BAA) signed by our hosting provider, but DigitalOcean will not sign BAA agreements (Amazon will, but don’t want to go there). I didn’t want to give up, so I did some more digging.
I’ve gone through the HIPAA security requirements and it seems that having a BAA signed by the hosting provider is typically required to cover physical protection of the PHI stored on the hosting provider’s servers. My assertion is that if physical access to our servers cannot provide access to PHI, then we don’t need a BAA signed by DigitalOcean. Has anybody else had to dig into this and come to the same conclusion?
The physical risks I have identified so far include:
Any thoughts on risks that might be missing here?
I already have some thoughts on a number of these risks:
If I can build a solid list of risks and mitigation strategies, I’ll pull it together in a DigitalOcean Tutorial and hopefully our shared knowledge and expertise can make DigitalOcean a viable platform for HIPAA compliant solutions.
Thanks in advance for any help you might be able to offer.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.