Cool Technology of the Week: HIPAA-Compliant Public Cloud

By John Halamka
09:04 AM

I've written several posts about BIDMC's use of "private cloud" approaches to host electronic records and gather community-wide quality data. Healthcare organizations have avoided the use of "public cloud" because of HIPAA/HITECH privacy concerns, lack of breach indemnification/data integrity guarantees, and the unwillingness of many cloud providers to sign business associate agreements.

Although it has not been widely discussed in the industry, the Centers for Disease Control has done ground breaking work to solve these issues, using Amazon's AWS GovCloud to create a national repository of syndromic surveillance data that includes all the protections needed to protect privacy including independent security testing at the FISMA-Moderate Level.

CDC is the first government agency to complete all the rigorous certification needed to host sensitive data in the public cloud.

CDC has also built gateways that make it easy for public health departments to submit data to the cloud - a Direct Project adapter, an NwHIN Exchange adapter, and others. Meaningful Use Stage 1 requires the testing of health information exchange with public health and Beth Israel Deaconess did its transactions with the Boston Public Health Commission (BPHC), which stored them in CDC's public cloud. BPHC was the first public health department in the nation to provide data feeds to the Amazon infrastructure.

Finally, CDC has enabled queries of the cloud data using multiple platforms including open source analytical tools such as R.

A secure, HIPAA-compliant public cloud that includes healthcare information exchange gateways and analytical tools. That's cool!


John Halamka, MD, blogs regularly at Life as a Healthcare CIO.