Home » Readers Write » Currently Reading:

Readers Write: Santa Claus, Flying Reindeer, and the HIPAA-Compliant Data Center

December 18, 2013 Readers Write 1 Comment

Santa Claus, Flying Reindeer, and the HIPAA-Compliant Data Center
By Grant Elliott

12-18-2013 11-14-48 AM

This holiday period will see a rerun of many classic holiday movies, with one of my particular favorites being Miracle on 34th Street. A delightful film about the importance of retaining faith, even in the absence of any evidence – in this case, whether Santa Clause is real. As C.F. Cole puts it in the 1994 remake of the movie, “We invite you to ask yourself this one simple question: do you believe in Santa Claus?” following which all across the city people start putting up signs proclaiming, “We believe.”

As I walked around the exhibition floor of the 2013 mHealth Summit last week, I felt I was being asked to take a similar leap of faith. Specifically, that every company there was HIPAA compliant simply because they said so. For most, it would be part of their sales pitch. The term “HIPAA compliant” would be sprinkled liberally throughout the description of their service. For some, it was actually emblazoned on their wall posters. “HIPAA Compliant Data Hosting” and “HIPAA Compliant Mobile Development” are two I specifically recall.

When I challenged them on what they were actually doing to be HIPAA compliant, the answer was too often limited to, “We store our data in an encrypted database,” or, “We use a HIPAA-compliant data center.” Therein lies a key challenge within the SMB health tech marketplace. Too many companies simply do not know what it means to be HIPAA compliant. That is a particular concern given that recent changes in the law mean they are now federally required to be so.

Why is simply storing data in an encrypted database an insufficient response?

The objective of HIPAA is to protect the “confidentiality, integrity, and security” of electronic Protected Health Information (ePHI). While encrypting data can certainly be a part of this, it does not cover the many other aspects also required, including determining who has access to the data; how and where the data is being shared; who can edit or delete the data; and so on.

The HIPAA security rule alone contains 42 standards and implementation specifications spread across three groups – administrative, physical, and technical. This is separate from the HIPAA Privacy and Breach Notification Rules, both of which are part of the overall HIPAA compliance requirements.

Even if you scratch a little deeper into the companies that claim to offer HIPAA-compliant hosting services, you should pay particular attention to the wording they use. While they may be willing to sign a Business Associate Agreement, they deliberately stop short of promising to provide a HIPAA-compliant solution. This is because they do not control access to the application — the solution provider does.

The next time a company tells you they are HIPAA compliant because they store their data in a HIPAA-compliant database or data center, you are certainly welcome to take a leap of faith. In the movie, after Judge Henry Harper is presented with evidence that the US Postal Service is delivering letters addressed to Santa Clause, he declares that, “…since the United States Government declares this man to be Santa Claus, this court will not dispute it.” However, I doubt that the enforcement arm of the Office for Civil Rights will be as liberal in its judgments.

Grant Elliott is founder and CEO of
Ostendio of Washington, DC.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. Great post Grant!

    Our industry is always looking to buy a point solutions to problems.

    The problem with HIPAA compliance is that, while an organization can buy tools and services to help it active compliance, actually BEING HIPAA compliant is all about 1) the risk assessment conducted by the covered entity, 2) the policies, tools and procedures it establishes to manage that risk, 3) the implementation and training of those policies and procedures among the organizations employees, and 4) monitoring that risk on an ongoing basis.

    In a nutshell, its about what an organization does — not what tool and services it buys. I continue to be amazed by the misinformation and amount of confusion in the industry on this important topic!

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors



























































Gold Sponsors
















Reader Comments

  • Veteran: #fakenews...
  • Vaporware?: Secretary Shulkin: "the American healthcare system hasn’t yet figured out interoperability, but the VA can lead the wa...
  • Justa CIO: The reported go live date for McLaren Oakland is wrong. There are no dates set for activations for any locations. Post...
  • Brian Too: I admit I am partial to the quoted ICD-10-CM of "S07.9XXA Crushing injury of head, part unspecified, initial encounter....
  • Cosmos: As others in the comments section have pointed out before, GE's EMR for athletes is ironically a health record for the h...
  • HIT MD: I appreciate the thoughtful postings on this topic, particularly those by Ross Martin and LMNOP. I've never participate...
  • My Two Cents: Re: I wish we could all just get along and put the patient at the center of what we do. Yep, I get more and more disc...
  • bbc: Did you take the Hippocratic Oath in Med school? does the slightest thought of helping your patients concern you at all...
  • My Two Cents: I have a few concerns about the article Mr. Crane wrote on Drug Pricing Transparency and respectfully disagree and quest...
  • Brian Too: Aha! That makes more sense now. Thank you for clarifying....

Sponsor Quick Links