Home » Readers Write » Currently Reading:

Readers Write: Santa Claus, Flying Reindeer, and the HIPAA-Compliant Data Center

December 18, 2013 Readers Write 1 Comment

Santa Claus, Flying Reindeer, and the HIPAA-Compliant Data Center
By Grant Elliott

12-18-2013 11-14-48 AM

This holiday period will see a rerun of many classic holiday movies, with one of my particular favorites being Miracle on 34th Street. A delightful film about the importance of retaining faith, even in the absence of any evidence – in this case, whether Santa Clause is real. As C.F. Cole puts it in the 1994 remake of the movie, “We invite you to ask yourself this one simple question: do you believe in Santa Claus?” following which all across the city people start putting up signs proclaiming, “We believe.”

As I walked around the exhibition floor of the 2013 mHealth Summit last week, I felt I was being asked to take a similar leap of faith. Specifically, that every company there was HIPAA compliant simply because they said so. For most, it would be part of their sales pitch. The term “HIPAA compliant” would be sprinkled liberally throughout the description of their service. For some, it was actually emblazoned on their wall posters. “HIPAA Compliant Data Hosting” and “HIPAA Compliant Mobile Development” are two I specifically recall.

When I challenged them on what they were actually doing to be HIPAA compliant, the answer was too often limited to, “We store our data in an encrypted database,” or, “We use a HIPAA-compliant data center.” Therein lies a key challenge within the SMB health tech marketplace. Too many companies simply do not know what it means to be HIPAA compliant. That is a particular concern given that recent changes in the law mean they are now federally required to be so.

Why is simply storing data in an encrypted database an insufficient response?

The objective of HIPAA is to protect the “confidentiality, integrity, and security” of electronic Protected Health Information (ePHI). While encrypting data can certainly be a part of this, it does not cover the many other aspects also required, including determining who has access to the data; how and where the data is being shared; who can edit or delete the data; and so on.

The HIPAA security rule alone contains 42 standards and implementation specifications spread across three groups – administrative, physical, and technical. This is separate from the HIPAA Privacy and Breach Notification Rules, both of which are part of the overall HIPAA compliance requirements.

Even if you scratch a little deeper into the companies that claim to offer HIPAA-compliant hosting services, you should pay particular attention to the wording they use. While they may be willing to sign a Business Associate Agreement, they deliberately stop short of promising to provide a HIPAA-compliant solution. This is because they do not control access to the application — the solution provider does.

The next time a company tells you they are HIPAA compliant because they store their data in a HIPAA-compliant database or data center, you are certainly welcome to take a leap of faith. In the movie, after Judge Henry Harper is presented with evidence that the US Postal Service is delivering letters addressed to Santa Clause, he declares that, “…since the United States Government declares this man to be Santa Claus, this court will not dispute it.” However, I doubt that the enforcement arm of the Office for Civil Rights will be as liberal in its judgments.

Grant Elliott is founder and CEO of
Ostendio of Washington, DC.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. Great post Grant!

    Our industry is always looking to buy a point solutions to problems.

    The problem with HIPAA compliance is that, while an organization can buy tools and services to help it active compliance, actually BEING HIPAA compliant is all about 1) the risk assessment conducted by the covered entity, 2) the policies, tools and procedures it establishes to manage that risk, 3) the implementation and training of those policies and procedures among the organizations employees, and 4) monitoring that risk on an ongoing basis.

    In a nutshell, its about what an organization does — not what tool and services it buys. I continue to be amazed by the misinformation and amount of confusion in the industry on this important topic!

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Vince Ciotti’s HIS-tory of Healthcare IT

Founding Sponsors


Platinum Sponsors




















































Gold Sponsors
















Reader Comments

  • Jayne Histalk MD: Angela - thanks for the tip. I'll definitely check them out, if not for myself then for patients....
  • Jayne Histalk MD: Dawn - drop me an email and send me a pic of your socks! Would love to feature them....
  • Mr. HIStalk: I immediately came up with at least 20 fun things that I started to say about this item, but I held my tongue....
  • BackendBill: Is that the Navicent merger you are referring to? While you are correct that there was a system merger and the decision ...
  • Angela Witt: Dr. Jayne: I am a Type 1 diabetic, so I use special extra-depth shoes prescribed by a physician, with custom inserts me...
  • Marshall: "home inspector finds jars of human tongues stored in a house’s foundation, later determined to have been placed there...
  • Andy Spooner: Very encouraging perspective. The entire clinical informatics community depends on places like Vanderbilt to advance the...
  • John: I heard from someone in Thailand as well who said our church has changed church services on Sunday from 2 hours to 1 and...
  • Associate CIO: Re What: I do not disagree but the article about Atrium is very misleading. This has been known for years that the...
  • BackendBill: There is a Cerner Reddit thread which is seemingly a mix of fairly informed toxicity, juvenile sloth, and those that ref...

Sponsor Quick Links