Home » Readers Write » Currently Reading:

Readers Write: Santa Claus, Flying Reindeer, and the HIPAA-Compliant Data Center

December 18, 2013 Readers Write 1 Comment

Santa Claus, Flying Reindeer, and the HIPAA-Compliant Data Center
By Grant Elliott

12-18-2013 11-14-48 AM

This holiday period will see a rerun of many classic holiday movies, with one of my particular favorites being Miracle on 34th Street. A delightful film about the importance of retaining faith, even in the absence of any evidence – in this case, whether Santa Clause is real. As C.F. Cole puts it in the 1994 remake of the movie, “We invite you to ask yourself this one simple question: do you believe in Santa Claus?” following which all across the city people start putting up signs proclaiming, “We believe.”

As I walked around the exhibition floor of the 2013 mHealth Summit last week, I felt I was being asked to take a similar leap of faith. Specifically, that every company there was HIPAA compliant simply because they said so. For most, it would be part of their sales pitch. The term “HIPAA compliant” would be sprinkled liberally throughout the description of their service. For some, it was actually emblazoned on their wall posters. “HIPAA Compliant Data Hosting” and “HIPAA Compliant Mobile Development” are two I specifically recall.

When I challenged them on what they were actually doing to be HIPAA compliant, the answer was too often limited to, “We store our data in an encrypted database,” or, “We use a HIPAA-compliant data center.” Therein lies a key challenge within the SMB health tech marketplace. Too many companies simply do not know what it means to be HIPAA compliant. That is a particular concern given that recent changes in the law mean they are now federally required to be so.

Why is simply storing data in an encrypted database an insufficient response?

The objective of HIPAA is to protect the “confidentiality, integrity, and security” of electronic Protected Health Information (ePHI). While encrypting data can certainly be a part of this, it does not cover the many other aspects also required, including determining who has access to the data; how and where the data is being shared; who can edit or delete the data; and so on.

The HIPAA security rule alone contains 42 standards and implementation specifications spread across three groups – administrative, physical, and technical. This is separate from the HIPAA Privacy and Breach Notification Rules, both of which are part of the overall HIPAA compliance requirements.

Even if you scratch a little deeper into the companies that claim to offer HIPAA-compliant hosting services, you should pay particular attention to the wording they use. While they may be willing to sign a Business Associate Agreement, they deliberately stop short of promising to provide a HIPAA-compliant solution. This is because they do not control access to the application — the solution provider does.

The next time a company tells you they are HIPAA compliant because they store their data in a HIPAA-compliant database or data center, you are certainly welcome to take a leap of faith. In the movie, after Judge Henry Harper is presented with evidence that the US Postal Service is delivering letters addressed to Santa Clause, he declares that, “…since the United States Government declares this man to be Santa Claus, this court will not dispute it.” However, I doubt that the enforcement arm of the Office for Civil Rights will be as liberal in its judgments.

Grant Elliott is founder and CEO of
Ostendio of Washington, DC.

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. Great post Grant!

    Our industry is always looking to buy a point solutions to problems.

    The problem with HIPAA compliance is that, while an organization can buy tools and services to help it active compliance, actually BEING HIPAA compliant is all about 1) the risk assessment conducted by the covered entity, 2) the policies, tools and procedures it establishes to manage that risk, 3) the implementation and training of those policies and procedures among the organizations employees, and 4) monitoring that risk on an ongoing basis.

    In a nutshell, its about what an organization does — not what tool and services it buys. I continue to be amazed by the misinformation and amount of confusion in the industry on this important topic!

Text Ads


  1. Unfortunately, I can't disagree with anything you wrote. It is important that they get this right for so many reasons,…

  2. Going out on a limb here. Wouldn't Oracle's (apparent) interoperability strategy, have a better chance of success, than the VA's?…

  3. Dr Jayne is noticing one of the more egregious but trivial instance of bad behavior by allegedly non-profit organizations. I…

  4. To expand on this a bit. The Vista data are unique to Vista, there are 16(?) different VISN (grouped systems)…

Founding Sponsors


Platinum Sponsors











































Gold Sponsors