For healthcare organizations, the primary consideration when selecting a data storage service is whether or not the provider offers HIPAA compliance.
HIPAA, or the Health Insurance Portability and Accountability Act, sets rules for the storage and transfer of protected health information (PHI).
In particular, when it comes to digital data storage, the HIPAA Security Rule mandates that healthcare providers must ensure the adequate protection of electronic protected health information (ePHI) through administrative, technical and physical safeguards.
(Image source: quora.com)
Importantly, HIPAA applies not only to healthcare organizations themselves – known as HIPAA covered entities – but to any data storage service providers they work with as well.
Under HIPAA, cloud storage service providers are known as business associates – and business associates must comply with HIPAA Rules.
Let’s consider the safeguards and security features your data storage service partner needs to provide for HIPAA compliance.
Technical safeguards concern the digital means a data storage service provider employs to protect ePHI. Technical safeguards must include:
- Access controls: to control who has access to systems where ePHI data is stored. Access should be guarded via multi-factor user authentication to confirm the identity of users who attempt to login to the system.
- Audit controls: these provide audit trails that record the activity of users who access the systems where ePHI is stored.
- Integrity controls: these concern the prevention of the manipulation or destruction of stored health data. Integrity control tools must verify that information alteration or deletion is not occurring.
- Transmission security: security mechanisms that protect ePHI access as the data is transmitted over an electronic communications network.
- Disaster Recovery: Under HIPAA, permanent data loss is not acceptable. As such, data storage service providers must maintain retrievable exact copies of ePHI data in order that files are fully recoverable in the event of a data breach or natural disaster.
Administrative safeguards concern the policies and procedures your data storage service provider has in place to ensure the adequate management and maintenance of ePHI protection. Administrative safeguards should include:
- Data access management: organizations must limit the use and disclosure of PHI to the minimum number of people necessary and restrict access to employees with specific authorization.
- Risk analysis and security management: data storage service providers must take steps to identify security risks and mitigate them. They must set up security protections of all potential risks discovered, implement and support ongoing safeguards and record the security steps that are taken.
- Contingency plan: a contingency plan must be in place to secure and retrieve ePHI data in the event of a breach or other data disaster.
Staff training: Regular and ongoing HIPAA training for all staff is required to ensure the latest best practices for HIPAA compliance are followed.
Physical safeguards are those that restrict access to the physical premises, devices, cloud computing and other data storage equipment. Physical safeguards include:
- Facility access: the physical security systems – including locks, CCTV and alarm systems – that limit access to the data storage service provider’s data center.
- Device and media controls: the controls, policies and procedures that ensure that when electronic devices and media are moved, reused, decommissioned and/or discarded, the ePHI contained within are kept secure.
- Workstation security: the physical controls that limit workstation use to authorized users. If necessary, screen barriers may be installed to prevent non-authorized users viewing on-screen ePHI.
Business Associate Agreements
In addition to the above, any data storage service provider a health care organization works with must sign a business associate agreement (BAA).
BAAs detail the responsibilities of covered entities and business associates when it comes to safeguarding ePHI in line with HIPAA requirements.
Obtaining a BAA is crucial for HIPAA compliance, for not all data storage service providers offer HIPAA compliant cloud storage.
BAAs can be obtained from other popular data storage services such as Google Drive, Dropbox and Amazon Web Services (AWS).
However, the agreement will typically clarify that it is down to the healthcare organization itself to configure and maintain the system in compliance with HIPAA Rules.
As such, the best solution is invariably to utilize the services of a HIPAA compliant cloud storage specialist.
Choose a HIPAA Compliant Data Storage Service
For healthcare organizations, it is crucial that a HIPAA compliant data storage service provider is selected for all ePHI data storage needs.
The provider should have proven experience in meeting all technical, administrative and physical safeguards and be willing to sign a BAA.
At Central Data Storage, we’ve been working to keep health care organizations’ ePHI data safe and secure since 2008.
We are approved by third party auditors as 100% compliant with HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) and the General Data Protection Regulation (GDPR).
Our solution has beyond military-grade security features, protecting you against all data threats, including ransomware, cyberattacks and lost and stolen devices.