Question

How can I achieve HIPAA compliance on a DigitalOcean hosted solution?

Let me start by saying this isn’t a trivial ask of a very complex question, I’m already deep into this and I’m looking to see if anybody else has encountered this challenge and perhaps found a solution.

To start off, we have a solution already running on digitalocean and a new client would like to add some data that would be considered Protected Health Information (PHI), which would make us a Business Associate to their organization as a HIPAA covered entity. The general approach here is that we need to get a Business Associate Agreement (BAA) signed by our hosting provider, but DigitalOcean will not sign BAA agreements (Amazon will, but don’t want to go there). I didn’t want to give up, so I did some more digging.

I’ve gone through the HIPAA security requirements and it seems that having a BAA signed by the hosting provider is typically required to cover physical protection of the PHI stored on the hosting provider’s servers. My assertion is that if physical access to our servers cannot provide access to PHI, then we don’t need a BAA signed by DigitalOcean. Has anybody else had to dig into this and come to the same conclusion?

The physical risks I have identified so far include:

  1. A system could be shut down and access to PHI limited.
  2. A system could be destroyed and PHI lost.
  3. A drive could be remove from a system and PHI copied from it.
  4. A drive could be removed from a system and security measures disabled.
  5. A system could be accessed by somebody at the hosting provider (back door) and data removed.
  6. A system could be accessed by somebody at the hosting provider (back door) and security measures disabled.

Any thoughts on risks that might be missing here?

I already have some thoughts on a number of these risks:

  1. Our solution has fail over to a different physical location, so covered.
  2. Data is replicated in real time to another physical location and backed up off-site.
  3. I’m not sure if a drive can be removed and data left intact on the DigitalOcean platform, but I think MariaDB 10.1 with encryption at rest may address this as long as I keep the encryption key off of the server.
  4. Remotely check for changed configuration files?
  5. Can I assume there is no backdoor into our servers without a signed agreement to that affect?
  6. Can I assume there is no backdoor into our servers without a signed agreement to that affect?

If I can build a solid list of risks and mitigation strategies, I’ll pull it together in a DigitalOcean Tutorial and hopefully our shared knowledge and expertise can make DigitalOcean a viable platform for HIPAA compliant solutions.

Thanks in advance for any help you might be able to offer.

Subscribe
Share

I’d be happy to show one of our HIPAA compliance experts this and see if there are any possible walkarounds. If anyone has any direct questions please let me know and I’d be happy to help.

This is the heart of my challenge and perhaps a question you could ask for me.

If an application is designed to handle encryption of PHI from the time it is entered until the time it is rendered back on the screen, without dependencies on infrastructure services, then do we need to pursue a BAA from the provider of our infrastructure services?

In our case, PHI is encrypted in the application before it is ever written to storage (file or database). The user provides a second HIPAA access key when they sign in. We, the application provider cannot read the data and the hosting provider would definitely not be able to read the data, even if they pulled a drive from a machine.

The only real exposure here would be if the hosting provider, DigitalOcean, had a “back door” into our virtual machines and could change application code. If DigitalOcean can achieve PCI compliance, than I would think this has been addressed.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Contrary to your initial statement, I do believe DigitalOcean will sign a BAA, however they are not explicitly HIPAA/HITECH certified. You mentioned AWS meeting your requirements, but not wanting to migrate there — I’m assuming due to their outrageous pricing for their HIPAA compliant servers under a BAA.

Have you looked at LiquidWeb? Perhaps you could use DigitalOcean for development, testing & pre-prod, then a solution like LiquidWeb for production & actual patient data storage. This article explains the various HIPAA compliant hosting options available. Perhaps one of those will meet your needs right out of the box.

The HHS HIPAA Privacy & Security rules keep changing, so it may be best to go with a certified provider and leave the compliance to their security team.

Just my $0.02.

Cheers!

Contrary to your initial statement, I do believe DigitalOcean will sign a BAA, however they are not explicitly HIPAA/HITECH certified. You mentioned AWS meeting your requirements, but not wanting to migrate there — I’m assuming due to their outrageous pricing for their HIPAA compliant servers under a BAA.

Have you looked at LiquidWeb? Perhaps you could use DigitalOcean for development, testing & pre-prod, then a solution like LiquidWeb for production & actual patient data storage. This article explains the various HIPAA compliant hosting options available. Perhaps one of those will meet your needs right out of the box.

The HHS HIPAA Privacy & Security rules keep changing, so it may be best to go with a certified provider and leave the compliance to their security team.

Just my $0.02.

Cheers!

Contrary to your initial statement, I do believe DigitalOcean will sign a BAA, however they are not explicitly HIPAA/HITECH certified. You mentioned AWS meeting your requirements, but not wanting to migrate there — I’m assuming due to their outrageous pricing for their HIPAA compliant servers under a BAA.

Have you looked at LiquidWeb? Perhaps you could use DigitalOcean for development, testing & pre-prod, then a solution like LiquidWeb for production & actual patient data storage. This article explains the various HIPAA compliant hosting options available. Perhaps one of those will meet your needs right out of the box.

The HHS HIPAA Privacy & Security rules keep changing, so it may be best to go with a certified provider and leave the compliance to their security team.

Just my $0.02.

Cheers!

Contrary to your initial statement, I do believe DigitalOcean will sign a BAA, however they are not explicitly HIPAA/HITECH certified. You mentioned AWS meeting your requirements, but not wanting to migrate there — I’m assuming due to their outrageous pricing for their HIPAA compliant servers under a BAA.

Have you looked at LiquidWeb? Perhaps you could use DigitalOcean for development, testing & pre-prod, then a solution like LiquidWeb for production & actual patient data storage. This article explains the various HIPAA compliant hosting options available. Perhaps one of those will meet your needs right out of the box.

The HHS HIPAA Privacy & Security rules keep changing, so it may be best to go with a certified provider and leave the compliance to their security team.

Just my $0.02.

Cheers!

Unfortunately, there’s a lot more to HIPAA compliance than just having solid IT and security controls. In order to sign a BAA, the company has to have policies and procedures for handling of PHI and has to train all of their staff on HIPAA regulations. There are also mandatory risk assessments and other procedures that have to be performed and documented.

There are other implications as well, such as insurance costs (breach insurance is on the rise) and the risk of stiff fines (up to $1.5M per incident) for non-compliance. For this reason, many hosting providers cannot or will not sign a BAA without significant fee increases. Even Amazon charges a penalty by forcing you to run dedicated instances, at an additional cost of $1500+ per month.

You might consider looking at one of the specialized healthcare cloud providers, such as Healthcare Blocks.

According the hhs.gov, the data storage provider must still be HIPAA compliant even if they never see unencrypted data:

  1. Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

David, did you ever find an answer to your question? I’d be interested to know as well.

Has there been any new developments in this area? We routinely build healthcare applications for our clients, but it is on their own metal. We have a number of prospects that would like us to build out their infrastructure as well, and we would love to use DO, but HIPAA is the only roadblock.

Thanks for jumping in @jimmont, I think that hipaa guidance has gotten even more specific since I last reviewed it. I wrote my original post after working through a hipaa security assessment and I was convinced I could meet the intent of the law by having my data encrypted at rest and the encryption keys vaulted.

@jsclev Fundamentally understanding “why it’s even necessary” to “sign a BAA” is not necessary for anything (being rational is not part of the deal). It’s baked-into and otherwise part of the HITECH-Act which you can read about for yourself at: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/ The guidelines (purely in my opinion) have gone completely off the deep end and compliance is a cost which we will pass on to our customers. I spent a large portion of my day reading the documentation and come to understand the explicit BAA requirement. Unless a cloud provider signs a BAA it doesn’t matter what you do with the data, the service is not in compliance (with the very specific transit exclusion mentioned on hhs.gov, linked above).