Medical Software Deployment and HIPAA: Cloud, Native, or Hybrid?

by J. David Giese on October 28, 2020

Should your medical imaging application be built for the cloud, native, or a hybrid approach? In this article, we compare several deployment strategies and how each relates to HIPAA compliance. We assume you have some familiarity with HIPAA-terminology.

Software applications can not be HIPAA compliant—only organizations can be HIPAA compliant. For an organization to be HIPAA compliant, it must enact certain administrative policies, provide training to employees, and document that these policies are being met.

Thus, when choosing a deployment strategy, the question is not, “how can we make our software HIPAA compliant?” Instead, the two key questions are:

  1. Will this strategy require us to become a Business Associate, and thus become HIPAA compliant?
  2. What software features do we need to build to enable our customers to easily remain HIPAA compliant?

Below, we list six deployment strategies, along with their advantages and disadvantages. Generic lists like this can be dangerous. Be aware that there are almost undoubtedly project-specific considerations you should consider. Also, we don’t explicitly discuss EMR or PACS integrations. Even so, we hope this list is a useful starting place. Please reach out to us if you would like to discuss the specifics.

1. Native app 🔗

Advantages

Disadvantages

2. Web app served locally 🔗

Advantages

Disadvantages

3. Web app served from cloud 🔗

Advantages

Disadvantages

4. Web app served locally + cloud processing server 🔗

Advantages

Disadvantages

5. Native app + cloud processing server 🔗

Advantages

Disadvantages

6. Web app + cloud processing server + 3rd party HIPAA platform 🔗

Advantages

Disadvantages

Footnotes 🔗

1 It is also possible to deploy a native app if you need the visualization performance but it comes with many of the disadvantages of (1) 2 It may be possible to also use a web app in rare cases. However, web apps don’t provide a reliable way to store long-term data. One exception is if you could use the web app to de-identify the data, but you don’t need to store any PHI for longer than a single session 3 Cloud hosting platforms can go out of business too, however, switching is usually easier

Get Medtech Software Tips

Subscribe using RSS

How frequently are they sent?

We send out tips about once a month.

What will I read?

Articles about software development, AI, signal and image processing, medical regulations, and other topics of interest to professionals in the medical device software industry.

You may view previous articles here.

Who creates the content?

The Innolitics team, and experts we collaborate with, write all of our articles.

Want to know more?

Contact us.