It is back to school time, which means if you are a parent with younger children, it is time to fill out countless forms and medical records. I have three children and each one requires about 6 different forms. This process used to take me hours and all I was left with was a sore neck, cramped hand, and an empty glass of wine (or two).
Fortunately, the school this year decided to move everything over to a new, pre-populated, SaaS application. It was convenient, fast, and easy to use. It saved me time, but then got me thinking…here I am sharing my children’s medical information and history, how secure is this application’s back-end? Followed by, I sure hope the SaaS provider is hosting this all on a serverless platform to save some money!
So, how do medical forms for school purposes fall in the scope of HIPAA (i.e. Health Information Portability Accountability Act), unfortunately, the answer is, they don’t.
In most cases, the school is not a covered entity under HIPAA since they are only storing the healthcare records for educational purposes. This means that they do not have to, under law comply, with the privacy and security requirements within HIPAA, they do however have to comply with FERPA (i.e. Family Educational Privacy Act) which has broader and less prescriptive security guidelines.
If you need some “light reading,” I highly recommend you check out the following guidance report, but if you don’t have time, here is the Cliff Notes version:
When a school provides health care to students in the normal course of business, such as through its health clinic, it is also a “health care provider” as defined by HIPAA. If a school also conducts any covered transactions electronically in connection with that health care, it is then a covered entity under HIPAA. As a covered entity, the school must comply with the HIPAA Administrative Simplification Rules for Transactions and Code Sets and Identifiers with respect to its transactions. However, many schools, even those that are HIPAA covered entities, are not required to comply with the HIPAA Privacy Rule because the only health records maintained by the school are “education records” or “treatment records” of eligible students under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule.
Okay, so how does this tie back to HIPAA compliance with serverless security? While all of the recorded information that was supplied by my children’s pediatrician and dentist is covered and protected under HIPAA, and I did grant them permission to share it, once transmitted to the children’s school via the SaaS application, that could or could not be hosted on serverless, the HIPAA protection is now gone and we enter the world of FERPA.
While we do not want to place unnecessary burdens on an already heavily regulated and resource-constrained system, there are some wonderful guidelines and best practices under the HIPAA Privacy Rule that are good guidelines to follow for providers handling medical information but are not technically covered entities.
As Saas providers are migrating their applications to serverless, understanding these compliance rules, restrictions, and policies, and how they apply to serverless applications on AWS Lambda, Google Cloud, Microsoft Azure, etc can help better protect everyone (patients, providers, educators)–ensuring they not only have HIPAA compliant applications but greater protection and efficiency.
In fact, at Protego Labs, we are working with many clients across both healthcare and education who are applying the principals outlined in HIPAA, and other regulations, to establish security best practices for their serverless deployments.
HIPAA Compliance with Serverless Architectures
So what does serverless security for healthcare and other related industries entail? Highlighting some of these best practices below is an outline of how common security controls apply to ensure HIPAA compliance with serverless architecture: