Vy Technology :: Blog :: High quality technology innovation in the shortest amount of time

The Blog

HIPAA Compliant Software with PHI: In The Cloud vs On-Premise?
Many years ago (before Apple's second surge) I would sit around and listen to technology minded individuals have very passionate arguments about which was better: Microsoft, Mac, or Linux. I was always perplexed by this conversation and found myself uniquely agnostic to the whole conversation. When I would reluctantly get dragged into them I would say, "you know, I think they all have their strengths and weaknesses and I like using each of them where they best excel." The only thing they would all agree on: they all hated my answer.

Fast forward to this decade and I find myself again in a unique position. This time it is the new-age old battle: should healthcare software that has PHI and needs to be HIPAA compliant be in the cloud or on-premise?

One thing is for sure, healthcare and banking are the two industries that are most behind in the cloud revolution. This isn't by happenstance. It is because they are the two most regulated industries. And regulation brings confusion. And confusion brings status quo.

The result? You can talk to many within healthcare that will passionately defend that the cloud is not acceptable for healthcare. Some will go so far (wrongly) to say that not only is it not acceptable, it isn't legal.

To the latter point, that is just flat out wrong. HHS actually released a fairly clear and comprehensive (for once?) guidance detailing how cloud computing can be done under the terms of HIPAA. This should be mandatory reading for anyone entering this conversation.

So you then probably think I am a fan of cloud hosting over on-premise? Not quite.

In fact, most of our implementations of Vy Healthcare ERP are on-premise. One thing we pride ourselves on is that the platform can be run in the cloud or on-premise. I am sure there are others out there like us, but I know of no others that enable this versatility. When we run it on the cloud, we use AWS GovCloud. When we run it on-premise, we work with great internal IT teams to ensure security and uptime.

That is one of the beauties of using web languages as software development: it can be used cost effectively anywhere you can spin up a web server. And a web server doesn't care if it is cloud hosted or on-premise. It functions through a web browser regardless.

What I think is more important is to take you, the customer, into consideration before deciding between the cloud or on-premise. What are your needs? What is your internal server and network infrastructure like? How complex are your internal integration points? What are your uptime needs? How competent is your internal IT team? These are all important questions.

But what is not an important question: does HHS force on-premise to be HIPAA compliant. That answer is flat out no.

One last tip if you are going the cloud route. While not required per se, it certainly makes things easier to use AWS GovCloud. Can you be HIPAA compliant without using AWS GovCloud: yes. Is it harder to do so: yes. Why? For starters, it may violate your IT Policy. But even if it doesn't, it is likely that sooner or later you will get into DFAR-like questions from customers. These are the questions that are concerned with offshoring and who has access to your code, data, and network. And while you can certainly still be HIPAA compliant while offshoring data and code, it also will certainly increase your risk assessment workload and security scanning. For what little AWS GovCloud costs over regular AWS, it just isn't worth the headache.

The important thing is to ensure your system is secure. We'd love to talk to you about how Vy Healthcare ERP can do just that for your organization.




Not only do we not share your email address with anyone, we promise not to use it ourselves for any other purpose besides sending our blog posts