HIPAA
Healthcare is a highly regulated environment, and the nature of cloud computing infrastructure escalates concerns over privacy, security, access and compliance. U.S Congress recognized that advances in electronic technology could erode the privacy of health information. To protect such information, United States of America enacted the Health Insurance Portability Accountability Act of 1996 (HIPAA). It is the first comprehensive Federal protection for the privacy of personal health information.
How does it take form in Cloud Computing?
The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) define crucial rules for individually identifiable health information. This information is called protected health information or PHI.
A covered entity is a health plan, a health care clearinghouse, or a health care who electronically transmit any health information. When this covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. The covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.
Hosting an application in compliance with HIPAA-HITECH rules is a shared responsibility between the customer and TCL. A Business Associate Agreement (BAA), which clearly defines the respective responsibilities of TCL and the customer, must be signed.
What is HITECH?
Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the “Administrative Simplification” rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.
What are the HIPAA rules?
- The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
- The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.
- The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Is Tata Communications HIPAA compliant?
The scope of HIPAA compliance includes Managed Hosting Services offered by Tata Communications. Tata Communications’ Managed Hosting Service has been assessed to be compliant with the control requirements in alignment with the HIPAA Final Omnibus Rule pertaining to HIPAA Security Rule, HIPAA Privacy Rule and HIPAA Breach Notification Rule.
The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability.
| Description | No. of Controls |
| Administrative Safeguards | 24 |
| Physical Safeguards | 7 |
| Technical Safeguards | 8 |
HIPAA in-scope services:
Managed Hosting Services (MHS)
- Managed Server
- Managed Operating System
- Managed Storage
- Managed Switch
- Managed Firewall
- Managed Backup
- Managed Load Balancer
- Managed Database
- Managed Middleware
- Managed Virtualization
- Managed Disaster Recovery (DR)
| Managed Hosting Services | In-Scope services |
| Operating System | Microsoft windows, RHEL, OEL, Solaris, IBM‐AIX, SUSE Linux, Debian Linux, Ubuntu Linux, Cent OS, Fedora |
| Network | VPN Gateway, Load balancer, switches, router |
| Storage/Backup | Shared and dedicated models, SAN, NAS and FC /iSCSI |
| Database | Oracle, MS-SQL, DB2 or MySQL database administration |
| Middleware | Middleware service is offered on applications including JBOSS; TOMCAT; Apache; WebLogic; WebSphere |
| Load Balancer | Static, Dynamic, Persistent: Radware, Citrix, SLB and GSLB, mSLB and mSLB with SSL off‐load |
| Security | SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth |
ABOUT HIPAA
To protect health information, the United States of America enacted the Health Insurance Portability Accountability Act of 1996 (HIPAA). It is the first comprehensive Federal protection for the privacy of personal health information.
Other certifications
We offer a wealth of experience and a wide portfolio of products designed to help your business grow. Discover more exciting opportunities and create a truly bespoke solution.
Frequently asked questions
What is HIPAA compliance?
HIPAA Compliance refers to meeting the security, privacy, and breach notification requirements set by the Health Insurance Portability and Accountability Act. It ensures that protected health information (PHI) is stored, processed, and transmitted securely. Organisations handling PHI must follow strict administrative, technical, and physical safeguards to protect patient data.
What is the difference between HIPAA and GDPR?
HIPAA focuses specifically on protecting health information in the United States, while GDPR covers all personal data of EU residents across industries. HIPAA Compliance governs PHI through defined rules, whereas GDPR emphasises broader privacy rights, consent, data transparency, and accountability. Both aim to safeguard sensitive information but apply to different regions and data types.
What is the purpose of HIPAA?
HIPAA was created to protect the privacy, security, and integrity of personal health information. It sets national standards for handling PHI, ensuring it is not misused, improperly accessed, or disclosed. Through clear rules, HIPAA strengthens trust between patients and healthcare providers while supporting secure digital health practices.
How does Tata Communications provide HIPAA-compliant cloud solutions for healthcare organisations?
Tata Communications delivers HIPAA Compliant Cloud Solutions through our Managed Hosting Services, assessed against HIPAA Security, Privacy, and Breach Notification Rules. We provide secure infrastructure, access controls, monitoring, backup, firewalls, and strong physical safeguards. A Business Associate Agreement (BAA) ensures shared responsibility and full alignment with HIPAA requirements.
What are the key components of the HIPAA Security and Privacy Rules?
The HIPAA Security Rule sets standards for securing electronic PHI through administrative, technical, and physical safeguards. The Privacy Rule governs how PHI can be used and shared, giving individuals rights over their health data. Together, they form the foundation of HIPAA Compliance, ensuring confidentiality, integrity, and controlled access.
What features ensure HIPAA compliance in Tata Communications’ cloud services?
Tata Communications supports HIPAA Compliance through managed firewalls, IDS/IPS, SIEM monitoring, secure backups, encrypted storage, strict access controls, and resilient infrastructure. Our Managed Hosting Services cover operating systems, networks, databases, middleware, and disaster recovery. These safeguards ensure secure handling of PHI across all in-scope services for healthcare organisations.
What’s next?
Experience our solutions
Engage with interactive demos, insightful surveys, and calculators to uncover how our solutions fit your needs.
Exclusively for you
Stay updated on our Cloud Fabric and other platforms and solutions
Disclaimer: IZO™ Cloud is now Tata Communications Vayu Cloud. TATA COMMUNICATIONS VAYU branded services are available in India only.