I'm currently working on a cloud-based healthcare idea also. My team and I have been wrangling with the compliant systems and services out there for handling this problem too. The crux really lies in the logistics of the HIPAA standard as every healthcare service storing or transmitting patient information must comply with _at least_ these regulations. Each hospital is liable to run their own EHR system which makes it extremely hard to integrate directly with them in a single broad stroke.
> Am I right to assume that it's nearly impossible to set up a cloud database that is accessed directly from, say, the OR of a hospital?
It depends on you, the employees, and the hospital. HIPAA basically focuses on 3 factors for securing and storing sensitive data: (1) Physical data security, (2) Security of data in transit, and (3) Training of personnel with access to the data. Amazon has HIPAA services that handle (1), 3rd party services like you mentioned above or you can handle yourself for (2), and also 3rd party services or yourself can handle (3). Assuming you have (1) and (2) squared away, and assuming the employees in the OR have the proper training, there should be no compliance violation.
Thanks for the helpful response. There are a bunch of great resources out there for achieving HIPAA compliance and given those, I'm confident that we can achieve it. What is unclear to me is, if we build such a solution, and then go into the OR, open a browser and type in http://<ourwebapp>.com, I'd expect the odds of us actually reaching that web page are low (e.g. will be blocked by a firewall). Is making sure that channel works just a matter of reassuring and negotiating with the hospital IT so that they ensure such access?
IMO you are thinking too far down the rabbit hole. If you are at the point of being implemented by a hospital or healthcare system implies you have already negotiated your product, licenses, etc and have the green light for all facets of what you offer (ie. access in the OR) by the boss(es). Hospital IT will listen to whatever said boss tells them to do, such as allowing access to your app if necessary.
> Am I right to assume that it's nearly impossible to set up a cloud database that is accessed directly from, say, the OR of a hospital?
It depends on you, the employees, and the hospital. HIPAA basically focuses on 3 factors for securing and storing sensitive data: (1) Physical data security, (2) Security of data in transit, and (3) Training of personnel with access to the data. Amazon has HIPAA services that handle (1), 3rd party services like you mentioned above or you can handle yourself for (2), and also 3rd party services or yourself can handle (3). Assuming you have (1) and (2) squared away, and assuming the employees in the OR have the proper training, there should be no compliance violation.