To be HIPAA OMNIBUS compliant (the OMNIBUS is the final HIPAA law that was put into effect on Sept 23rd, 2013), you must have a signed BAA (Business Associate Agreement) with each associate that handles PHI (Protected Health Information). This means if you host your app on GAE (Google Apps Engine), Google *MUST*, in order to be HIPAA compliant, sign a BAA with you, describing what part of HIPAA they will take responsibility for.
In dealing with PHI, you need to concern yourself with HIPAA and the HITECH act of 2009. There are many overviews online that describe the laws and their requirements. Currently, Google signs BAAs for Google Apps, but currently NOT for GAE, they will likely not do this for a number of years because much of GAE is still experimental and subject to change. AWS (Amazon Web Services) does sign BAAs and has very similar services to GAE, and, no knock to Google here, because GAE is going to be incredible when it's stable, but AWS is already stable and has a very proven track record, it scales like GAE and has very similar features, most people currently go with AWS. You can also contact Rackspace, Edgeweb, OnlineTech or Atlantic.net (and I'm sure many others). They will all sign BAA agreements and host your PHI. Once you have a BAA agreement that covers storage and backup, etc. You only need to worry about encrypting the transport of PHI using SSL, and controlling unauthorized access. All of the hosts I mentioned above *will work with you* to figure out what specifically you must do to produce a HIPAA compliant final product. You can also pay about $250-$1,250 (depending on scope) for a HIPAA compliance audit, and a tech will talk with you about your code, check your config settings, verify your setup, etc., and sign off that based on the information you provided, you appear compliant, or tell you what you still need to do. In my opinion, unless you're a large corporation, you don't need to hire a full time lawyer for simple HIPAA compliance. It's really not that complex, especially since hosts handle everything but transport and access concerns, which they walk you through anyway. Prices I've gotten for shared HIPAA hosting through dedicated server hosting ranged from $160/mo to $1500/mo with the above hosts. The costs include lots of backups, encryption licenses for MySQL, encrypted drives, special audits for their server rooms, and insurance to cover HIPAA risks. In almost all cases, it's a lot cheaper to go with a HIPAA host than to host a server yourself, and it's much, much cheaper to host PHI correctly than to skimp now and pay a minimum $50,000 fine for not being compliant later. Hope some of that helps! :) On Wednesday, February 6, 2013 8:22:49 PM UTC-5, MDS wrote: > > Hello everyone, > > I am curious if it is possible to implement a HIPAA compliant application > on Google App Engine, or if the way Google App Engine is setup it is not > possible to be HIPAA compliant? > > I have read the restrictions in the terms of the agreement, stating > "Customer acknowledges that the Service is not HIPAA compliant and Customer > is solely responsible for any applicable compliance with HIPAA." > > I am unsure if this means it is NOT compliant at all or if a specific > implementation of an application can be compliant. > > Thanks! > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
