Hipaa Compliant Cloud Storage
Cloud computing provides undeniable benefits for storing and accessing electronic health records. Files stored in the cloud are accessible anytime and anywhere from any device, which makes it easy to share critical medical information between healthcare workers. But is cloud storage secure enough to store, access and transfer sensitive personal and medical information?
hipaa compliant cloud storage
When a covered entity store PHI in the cloud, the cloud storage service is considered by law to be a business associate of the covered entity. To be HIPAA compliant, therefore, a Business Associate Agreement has to be in place. That agreement needs to state that the cloud service provider shall:
A HIPAA-compliant cloud storage incorporates all the required controls to ensure the confidentiality, integrity and availability of ePHI. The covered entity is responsible for developing policies and procedures covering the use of HIPAA secure cloud storage for this information.
The HIPAA Privacy Rule requires covered entities and business associates to establish the integrity of ePHI and protect it from unauthorized destruction or alteration. Organizations must identify where ePHI is stored, received, maintained and transmitted. That task requires special care in the case of cloud storage services.
Dropbox Business offers a BAA for covered entities and can be configured to offer HIPAA-compliant cloud storage. The service provides a variety of administrative controls, including user access review and user activity reports. It also allows for the review and removal of linked devices and enables two-step authentication for additional security.
Google offers a BAA as an addendum to the standard G Suite Agreement. While not all G Suite products can be made HIPAA compliant, a number of useful Google apps do follow legal requirements for the storage and sharing of ePHI.
A HIPAA-compliant cloud infrastructure refers to a cloud service that fulfils the requirements set up in HIPAA rules. This includes signing a business associate agreement (BAA), end-to-end data encryption and strict access control and oversight over every data access attempt.
To add to all of this, Sync.com offers some of the best deals in cloud storage, and even offers plans with unlimited cloud storage. You can read our full Sync.com for Teams review for more details or sign up for its 5GB free plan.
There is no doubt that using the cloud for data storage offers many benefits, but healthcare organizations need to ensure a HIPAA compliant cloud drive is used to store the protected health information of patients and health plan members. But what is a HIPAA compliant cloud drive? What is the difference between a HIPAA compliant cloud drive and any other form of cloud storage?
Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is used to secure data in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, the HIPAA Security Rule could easily be violated.
A HIPAA compliant cloud drive will incorporate all the necessary controls to ensure the confidentiality, integrity, and availability of electronic protected health information is safeguarded. The cloud service provider will agree to implement safeguards to secure data transmitted to the cloud, to store data securely, and to provide a system that allows data access to be carefully controlled. The platform will also record logs of all activity, including successful and failed access attempts.
Since access to data in the cloud is effectively given to the service provider, that entity is classed as a HIPAA business associate. Therefore, a HIPAA compliant business associate agreement must be obtained before any HIPAA-covered data is uploaded to the cloud. For any cloud storage service to be HIPAA compliant, the service provider MUST be prepared to sign a business associate agreement with the covered entity.
Google will sign a BAA for Google Drive. The business version of Google Drive is therefore a HIPAA compliant cloud drive. Box and Dropbox have also announced that they support HIPAA compliance and are prepared to sign a BAA, and Microsoft will sign a BAA for Microsoft OneDrive. iCloud on the other hand should not be used. At the time of writing, Apple will not sign business associate agreements with HIPAA covered entities.
We're starting our list with our favorite HIPAA compliant cloud storage option for small practices: Google Drive. It's easy to use, has tons of features and can be used in a HIPAA compliant environment.
Our favorite service, hands down, is Google Drive, which is part of Google's excellent Google Workspace. It's one of the easiest services to use and a great value for the price to achieve the most secure cloud storage option. PCMagazine also loves it, giving Google Drive an excellent rating.
Google will sign a HIPAA Business Associate Agreement (BAA) for Google Workspace clients. It covers Gmail, Google Drive, Google Calendar, and Google Vault. If you set the file sharing up properly in Google Drive, it's a brilliant choice for HIPAA compliant cloud storage.
Because of its reasonable price, robust features, high level of security, and willingness to sign a HIPAA business associate agreement, we use and recommend Google Drive, which is part of Google Workspace. Google Workspace includes cloud storage, hosted email, and robust online file editors, and is one of the best HIPAA compliant cloud storage services out there. Check out our article about HIPAA compliant Google Drive.
A VoIP or unified communication cloud storage provider that stores protected health information (PHI) is considered a business associate (BA). To ensure HIPAA compliance, BAs must sign a business associate agreement (BAA) with the healthcare organization. This agreement states its compliance with HIPAA requirements.
Microsoft OneDrive is a cloud storage service that enables teams to securely share files from anywhere. Its HIPAA-compliant plans have BAAs audited by accredited independent auditors leading to its acquisition of the Microsoft ISO/IEC 27001 certification and the HITRUST CSF certification. Other features include data encryption and retention, sensitivity labels, and file auditing and reporting.
Box is a content cloud platform that lets users share files, collaborate, and store unlimited data. The Enterprise plan is compliant with various regulations, including HIPAA and HITECH (Health Information Technology for Economic and Clinical Health). This package has advanced security features, like device trust, password policy enforcement, and admin role delegation.
Google Drive is a cloud storage service that enables users to store and share files online. It offers a free version for personal use, and businesses can subscribe to a Google Workspace plan. Google Workspace packages come with Drive and other apps, such as Meet, Docs, Chat, and Forms. Those looking for an all-in-one platform can also add the Google Voice app to access voice-over-internet-protocol (VoIP) phone features.
Dropbox Business provides a BAA for CEs to configure its cloud storage platform and comply with HIPAA Security Rules. Its service offers administrative controls, such as user activity reports and user access review. Other features include linked device review and removal as well as two-step authentication.
Dropbox Business has more costly services than most of its popular competitors like OneDrive However, it still has some of the common cloud storage issues, such as occasional slow file synchronization and lags.
We looked into HIPAA-compliant file storage solutions that provide a free plan with a reasonable amount of storage. We checked out which providers offer monthly and yearly billing options and those that provide discounts for annual contracts and businesses with more users.
We analyzed cloud storage services that offer at-rest and in-transit data encryption. We also ensured that there are more security measures in place, such as access control and data classification. We also considered those that provided generous storage capacity, including those with unlimited offers.
HIPAA compliant storage must respond to specific requirements regarding patient records security and the enforcement of security policies. When choosing storage options for your healthcare platform, the first step to take is to examine HIPAA safeguards and integrate them into the architecture.
Along with ensuring the security of the software, controlling hardware is just as important. By gaining control directly of the device, the cybercriminal might receive access to the digital platform and work with hard drive storage of patient data. Even if you are relying on the cloud for ePHI storage, protecting hardware is still a priority.
According to the official HIPAA guidelines, healthcare institutions can use HIPAA compliant Cloud storage for ePHI processing. As long as you ensure that your chosen vendor has complied with HIPAA, there will be no legal issues.
The best way currently available to store your medical files and share them between various parties is with HIPAA-compliant hosting. Different cloud apps are designed for file-sharing (examples include Box, Dropbox, and Google Drive), allowing you to back up the files and synchronize data between various devices. However, general technological solutions are not designed for the particular case of healthcare concerning encryption of electronic protected health information, which is where HIPAA-compliant cloud storage services can help.
When a public cloud provider declares it is HIPAA compliant, this means the underlying infrastructure is secure. HIPAA-covered entities are still responsible for using identifying out-of-scope HIPAA requirements that the HIPAA-compliant cloud provider is not responsible for, monitoring for security incidents, and auditing their activity. 041b061a72