With the advancement in technology, the adoption of cloud computing in various sectors, especially the health industry, has increased tremendously. However, unlike most businesses and organizations that would opt for any cloud service that meets their needs, the healthcare industry needs to use HIPAA Compliant Cloud Storage services. But what exactly is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is an act that was passed in 1996 which provides rules for the privacy and security of Personal Health Information (PHI) for health workers and patients. That was after public concern about the many security breaches and data loss reports. Governments and organizations enacted various legislations to protect user data and ensure data privacy and security. One such act was HIPAA. HIPAA was later updated in 2009 to include the Health Information Technology for Economic and Clinical Health (HITECH) act.
The HIPAA act aims to safeguard patients’ sensitive information, whether in transit (data moving from one location to another via the internet or a private network) or storage. This post will give you a comprehensive guide on the relationship between HIPAA and cloud storage, and a list of some of the best HIPAA compliant cloud storage solutions available today.
Benefits of Cloud Storage in HealthCare
Cloud storage is one of the most convenient and efficient methods of storing data online today. Currently, there are several HIPAA compliant cloud storage solutions, and the only task is choosing the one that meets your needs and standards. This area is so vast that every big tech company has a separate cloud storage service they offer to users. Think of companies like Google, Microsoft, and Apple. All of them provide users with cloud storage solutions.
- Usability and accessibility: Since all kinds of users utilize cloud storage, these solutions are designed with ease of use and accessibility in mind. For example, DropBox enables users to upload files using the “drag and dropping” method. Additionally, if you upload your files from a computer, you can easily access them from any other device with an internet connection.
- Secure Exchange of Electronic Data: Data privacy and security are always the primary concern regarding any online activity. As more healthcare systems rely on cloud and telehealth applications, a HIPAA approved cloud storage is necessary to transmit and store patients’ data.
- Cost-efficient: Most healthcare systems rely on HIPAA secure cloud storage for cheaper startup costs to outsource their data storage problem. That’s because the cost of setting up and maintaining the resources and technology to manage data locally or on-premise can be relatively high.
- Multiple users support: Most cloud storage solutions are designed and developed to support multiple users. That allows many users from different locations to collaborate on a particular task efficiently. For example, you can have one user uploading patients’ data while another user is checking on patients’ history.
- Synchronization: Data synchronization is one of the most powerful features available in most (if not all) HIPAA cloud storage. When you upload data from one device or location, you can easily access the data from any other device with an internet connection.
HIPAA Compliant Cloud Storage Requirements.
Health Insurance Portability and Accountability Act (HIPAA) requires all those working in the healthcare system to handle personal health information (PHI) in a particular manner. Therefore, when choosing HIPAA secure cloud storage options for your healthcare platform, the first step is to examine HIPAA safeguards.
Each HIPAA Compliant Cloud Storage needs to implement the HIPAA safeguards which are grouped into three main categories.
- Technical safeguards
- Physical safeguards
- Administrative safeguards
Technical Safeguards.
Technical safeguards are put in place to protect PHI from prying eyes and malware. You can find these safeguards in sections § 164.304 of the security rule in the HIPAA act. Every HIPAA Compliant Cloud Storage is required to implement these safeguards to any services they provide to their users. This section has five standards.
Access Control
This standard prevents unauthorized persons from viewing electronic PHI. Access control has four specifications that help achieve these security measures.
- Unique user identification
- Emergency access procedure
- Automatic logoff
- Encryption and decryption
Audit Controls
Most software applications have audit logs to examine system activities.
Integrity
This standard has only one addressable specification: to ensure the system performs as intended without intentional or accidental manipulation.
Person or entity authentication
Authentication refers to passwords, user IDs, and other features such as fingerprints or biometrics. A user must prove their identity by entering credentials.
Transmission Security.
This standard protects data in motion (information transmitted over the internet or a public/ private network). Some of the key features stipulated by this standard include integrity controls (such as firewalls and intrusion Detection Systems) and data encryption.
Physical Safeguards.
Physical safeguards focus on protecting hardware such as storage media and places where electronic PHI is stored. Unfortunately, these safeguards cannot be implemented or enforced from the users end. Therefore, ensure you choose a HIPAA Compliant Cloud Storage with a good reputation on data security.
This particular safeguard has four standards.
- Facility access controls
- Workstation use: This standard requires policies to specify what happens at each workstation.
- Workstation security: This standard requires policies to restrict access to electronic PHI to authorized users.
- Device and media controls: This standard requires policies to govern the movement and disposal of e-PHI.
Administrative Safeguards
Administrative safeguards include cloud assessment, staff management and training, data access management and predicting crisis and damage, security awareness, and training.
Best HIPAA Compliant Cloud Storage Vendors
If your healthcare team or organization focuses on utilizing cloud based storage hipaa compliant, it would be best if you had somewhere to start. The team behind this post researched extensively on some of the best cloud storage platforms that meet all the HIPAA requirements discussed in the previous section.
Most businesses and organizations rely on the vendors listed below for their efficient business practices, especially with Business Associate Agreements (BAA). You will get enough dedicated storage space at a reasonable cost.
-
Google Cloud Drive
First on the list is Google Cloud which is one of the most popular HIPAA compliant cloud storage. From 2013, Google started signing BAAs that covered the entire G-Suite making the Google Cloud Platform HIPAA compliant. The G-suite comprises various productivity tools, including Gmail, Google Drive, Google Calendar, and Google Vault. However, some of the non-core services provided by these applications need to be disabled to maintain compliance.
To ensure the HIPAA compliance requirements are met, Google encourages users to enable certain safeguards, which include:
- Configure access controls carefully
- Use 2-factor authentication for access
- Use strong passwords
- Turn off file syncing
- Set link sharing to off
- Disable offline storage for Google Drive
- Disable access to apps and add-ons
To check out more about all the features and safeguards that Google recommends for HIPAA compliance cloud storage, go through their official Guide for HIPAA Compliance with G Suite.
Google also provides users with a range of industry-standards audits and certificates, including ISO 27001, ISO 27017, ISO 27018, SSAE16/ISAE 3402 Type II, FedRAMP ATO, and PCI DSS v3.2.1.
Is Google Cloud storage HIPAA compliant? According to the HIPAA journal, “G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.”
Microsoft OneDrive.
Microsoft was one of the first cloud storage vendors to show support for the HIPAA-HITECH acts. They offer BAAs for enterprise cloud services which cover various Microsoft products, including Microsoft Azure, Microsoft Dynamics 365, OneDrive for Business, and Microsoft Power BI.
Some of Microsoft’s HIPAA-compliant security measures and safeguards include;
- 256-bit AES encryption..
- 2048-bit keys for establishing SSI/TLS connections
- ISO/IEC 27001, and HITRUST CSF certifications.
Additionally, Microsoft requires all its vendors and subcontractors to uphold the same HIPAA safeguards and requirements while rendering their services to users.
However, OneDrive is not HIPAA compliant just because Microsoft will sign a BAA with your Healthcare platform. All the actions and safeguards carried out by users while using the cloud service determine HIPAA compliance, as using a specific piece of software or cloud service is only one aspect of compliance.
According to Microsoft, “Your business is responsible for ensuring that you have a proper compliance policy and internal processes in place, and that your specific usage of Microsoft services fits with HIPAA and the HITECH Act,”
Amazon Web Services (AWS)
AWS is one of the best options for developers and businesses looking for a reliable cloud storage platform. However, is AWS HIPAA compliant? Yes and No.
“Yes” because AWS has numerous ” HIPAA-eligible services,” and they also sign BAAs with healthcare organizations that ensure the full provision of security, control, and administrative safeguards as required by HIPAA. “No” because users can make configuration errors that leave PHI unprotected and accessible to unauthorized personnel. Therefore, ensuring that your health organization is HIPAA compliant requires cooperation from both parties.
Previously, the Amazon BAA required all users under the HIPAA compliance program to use Amazon EC2 Dedicated Instances or Dedicated Hosts when processing PHI. However, that’s not the case today. Each AWS service comes with the following useful features to address data security issues.
- Networking and Firewall
- Access Control
- Encryption
- Backup
If you want to get more acquainted with Amazon HIPAA Compliant Cloud Storage program, check out their 26-page Architecting for HIPAA Security and Compliance on Amazon Web Services.
Box
Box is another less-known HIPAA Compliant Cloud Storage platform best suited for users looking for users who need unlimited storage capacity. This service is HIPAA compliant, adding the HIPAA/HITECH act support in 2013. In the past few years, Box has positioned itself as the right software solution for enterprises needing HIPAA compliant cloud storage services. They are happy to sign the HIPAA Business Associate Agreement (BAA) with health organizations.
Features available with Box services include:
- Stellar encryption
- Access control and monitoring
- Reports and logs
- Audit trail for users and content
- Granular permissions
Like most cloud storage services, Box integrates with several services including
- Office 365
- Salesforce
- DocuSign
- Jotform and many other services.
DropBox (Business)
Dropbox is one of the most popular cloud services for storing and sharing data. In 2015 the company announced it would include support for the HIPAA and HITECH act. However, that doesn’t mean anybody with a standard Dropbox account can start processing PHI. If you want access to HIPAA compliant services, you must create a business account.
Some of the administrative features that are available with Dropbox services include:
- Configure sharing permissions
- Manage linked devices
- Disable permanent deletions
- User access
- User activity reports
- Two-step authentication.
The Dropbox business plan costs $12.50 per month for five users. It includes Office 365 integration, Jotform integration, collaboration tools, unlimited storage, and system logging and alerts.
Carbonite.
Carbonite was among the first few companies to offer cloud storage services to businesses and organizations in 2005. All their cloud services and plans are HIPAA compliant, and they are happy to sign BAAs with their customers. Some of the safeguards they provide include
- Offsite backup
- Disaster recovery services.
Carbonite also offers strict safety protocols. They support annual plans, which start at $269.99 to $1,299.99 per year for large organizations.
How to Start a Cooperation with a HIPAA Compliant Cloud Storage
Are you looking forward to cooperating with HIPAA certified cloud storage? If yes, below are the steps you need to follow.
- Sign the Business Associate Agreement (BAA) with the vendor: This agreement holds the cloud service accountable for any breach.
- Determine the access permissions provided by the cloud vendor.
- Assess vendors’ compliance on your own.
- Communicate with your business associates’ security experts. They will give you an in-depth insight on their platforms security measures especially if you are interested in using a secure cloud storage HIPAA.
- Ensure the vendor onboards you with detailed guides and policies for using a HIPAA compliant service.
- Check their HIPAA training.
- Verify your vendor’s security procedures.
- Check their contingency plan
- Ensure your vendor is financially stable and has no previous history of power outages and deletion of information.
- Each agreement must have a clause describing the conditions for terminating the cooperation and retrieving your data.
Choosing the right vendor is a long-term investment that determines your organization’s safety. Ensure you follow these guidelines before starting any cooperation with any hipaa compliant cloud file storage for storing your files and processing PHI.
Final Thoughts
Currently, most patient data is stored in the cloud. Always choose a secure and reliable HIPAA Compliant Cloud Storage to store your sensitive data. However, signing a Business Associate Agreement with a cloud storage vendor is not always enough. The way you utilize their cloud storage services should align with the HIPAA law on cloud storage.
This post has listed some of the common HIPAA Compliant Cloud Storage options you can checkout. Ensure that you examine the cloud vendor’s specific provisions and policies before signing a BAA to get started with their services.
Angus Roberts is an expert in healthcare IT and HIPAA compliance. He has a strong expertise in AI and Cloud technologies and has been working with these technologies for the past decade. Angus is also a frequent speaker at conferences in the US and Europe on topics related to cloud, AI, healthcare IT, HIPAA compliance, cybersecurity, data privacy and more.