Question 22
Domain 1: Cloud Architecture, Governance, and Risk ManagementA healthcare organization is planning to migrate to the cloud. They must ensure HIPAA compliance for protected health information (PHI). Which architectural consideration is MOST critical when designing the cloud environment?
Correct answer: B
Explanation
HIPAA requires covered entities and business associates to protect PHI with technical safeguards, including access control and transmission security. Encryption and strict access controls limit unauthorized use and disclosure, which is central to designing a compliant cloud environment for PHI.
Why each option is right or wrong
A. Using the most cost-effective storage solution
B. Implementing appropriate technical safeguards for PHI including encryption and access controls
HIPAA’s Security Rule requires covered entities and business associates to implement technical safeguards for electronic PHI under 45 C.F.R. § 164.312, including access control (§ 164.312(a)) and transmission security (§ 164.312(e)). In a cloud migration, the design must therefore prioritize mechanisms that prevent unauthorized access and disclosure of PHI, with encryption and role-based access controls being the core architectural controls that satisfy those requirements.
C. Selecting a cloud provider with the most data centers globally
D. Ensuring all data is stored in a single geographic region