Georgia loves Google’s cloud, but now it needs HIPAA compliancy
In 2013 the state’s Administrative Office of the Courts cut employees a break: It contracted with a consultancy near Atlanta named ScotCro that built a custom application to digitize the entire process. The app accepts online submissions, sends them to the appropriate contact at the state and allows for digital approval. It keeps records of how many workers register, tracks where they’re registering, and helps state officials plan which areas need more or less resources.
ScotCro built the application in the cloud. “We jumped with both feet in to Google App Engine,” CEO Robert McMillan says.
Google App Engine (GAE) is a platform as a service (PaaS), meaning that ScotCro engineers didn’t have to provision virtual machines or configure databases in the cloud. They wrote code that ran in GAE, and Google’s cloud took care of the rest.
“I’ve designed and managed data centers, and I’ll never go back to hardware again,” McMillan says.
Georgia estimates that its new digital process has saved the equivalent of four full-time workers. The app has gotten rave reviews, except from a 92-year-old judge who - rumor has it - refused to use a computer and retired when the app went live. The state has since rolled out the app to include seven business units that process applications and renewals. ScotCro has taken a two- to three-week process and literally turned it into a 2 to 3 minute one, all thanks to the cloud.
Now ScotCro is hoping to land a new project, but McMillan is wondering whether he’ll be able to use the cloud for this, too.
The next project is for a different agency -- that McMilllan can’t disclose -- that is negotiating with ScotCro to build an app for tracking residents who have received state services, and involves sensitive patient medical information. So the app must be compliant with the federal Health Insurance Portability and Accountability Act (HIPAA) along with the Health Information Technology for Economic and Clinical Health (HITECH) to safeguard digital health data.
While Google Compute Engine (GCE), a public cloud Infrastructure-as-a-Service offering that provides virtual machines, storage and databases, is eligible to be HIPAA compliant, the GAE is not yet.
Matthew O’Connor, Google’s product manager responsible for security and compliance, says he expects GAE to be HIPAA-eligible in the second quarter of this year. The process to do so involves third-party auditors as well as policies and procedures being set up within the company. “The key theme is to follow good software development practices, good operational procedures and to have solid privacy and security,” he says.
At its most basic, HIPAA “sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information,” according to the U.S. Department of Health and Human Service’s website. It includes a set of federal privacy protections for individually identifiable health information. The regulations are long and multi-faceted, and complicating matters is that there’s no standards body or checklist for complying with HIPAA.
“A lot of it is about controlling access to information,” explains Jon Senger, CTO of Vertiscale, a company that creates software that managed service providers use to comply with HIPAA.
No provider can offer a fully HIPAA-compliant computing environment as a service because it would require both the provider and customer to work together to ensure the regulations are met. Instead, providers have established policies and procedures around certain products that meet HIPAA standards. Customers must sign what’s called a Business Associate’s Agreement (BAA), a legally binding document between users and providers acknowledging that some of the customer’s data is subject to HIPAA rules.
Google’s isn’t the only cloud vendor tackling HIPAA. Amazon Web Services says that nine of its products, including popular ones like Elastic Compute Cloud (EC2), Simple Storage Service (S3) and Elastic Block Store (EBS), are eligible to be HIPAA compliant if customers sign a standardized BAA with the company. AWS has a white paper describing how to architect applications in its cloud to meet HIPAA guidelines. Microsoft Azure, meanwhile, allows qualified health care companies and their suppliers to use a standardized BAA, which would make their use of Azure HIPAA compliant.
Overall, cloud providers seem to be evolving their platforms to host even the most sensitive, HIPAA-compliant applications. For ScotCro, the company understands it still needs to perform its due diligence to ensure HIPAA compliance, and will have to enter into a BAA. But by using a cloud service, at least it won’t have to host all that underlying infrastructure itself.