Questions

Compliance

+
0 Votes
Locked

Compliance

chaniska
Is Vendor's like Godaddy, Rackspace and similar are compliant with Health care Compliance Standards Such as HIPAA, OIG and etc?
or when it comes to Service Providers how Does HIPAA applies?

I'm thinking about their datas on the Products such as Sharepoint, Exchnage, Hosting and etc.
  • +
    0 Votes
    robo_dev

    The road does not need to be compliant with the Federal vehicle safety standards.

    The controls related to most, if not all, compliance requirements happen at the application layer and relate to securing the data, not the infrastructure. While the owner of the data does due diligence to make sure the provider meets their security requirements, they are responsible for ensuring that controls over the data, such as encryption, are in place so that the controls over the infrastructure are irrelevant.

    The one issue that is important with hosting providers is that data privacy laws vary from country to country, while the entity that is responsible for the data may be in the US. Therefore if a US based hospital has its medical records on an outsourced server in India, and there is a data breach, there may be US laws that are broken, but no laws broken where the data is actually located. This complicates the legal issues considerably.

    +
    0 Votes
    chaniska

    Thanks for the update. was trying to get some idea on this matter. :)

  • +
    0 Votes
    robo_dev

    The road does not need to be compliant with the Federal vehicle safety standards.

    The controls related to most, if not all, compliance requirements happen at the application layer and relate to securing the data, not the infrastructure. While the owner of the data does due diligence to make sure the provider meets their security requirements, they are responsible for ensuring that controls over the data, such as encryption, are in place so that the controls over the infrastructure are irrelevant.

    The one issue that is important with hosting providers is that data privacy laws vary from country to country, while the entity that is responsible for the data may be in the US. Therefore if a US based hospital has its medical records on an outsourced server in India, and there is a data breach, there may be US laws that are broken, but no laws broken where the data is actually located. This complicates the legal issues considerably.

    +
    0 Votes
    chaniska

    Thanks for the update. was trying to get some idea on this matter. :)