How to Ensure You Are Using HIPAA Compliant Cloud Storage
For healthcare organizations and other HIPAA covered entities, the most important consideration when selecting a data backup and recovery service is whether the provider offers HIPAA compliant cloud storage.
Today, more and more healthcare organizations are turning to the cloud due to the convenience, affordability, and plethora of advantages it brings. Indeed, as recent research has shown, the global market for cloud technologies in the healthcare industry is expected to grow by $25.54 billion between 2020 and 2024.
As the report notes, “Deploying cloud computing in healthcare ecosystems offers various advantages, including cost savings, enhanced flexibility, and system scalability to the organizations.”
(Image source: businesswire.com)
However, while there is no doubt that utilizing cloud services for data storage offers many benefits, healthcare organizations must ensure that a HIPPA compliant cloud storage service is used to store the protected health information (PHI) of patients.
This is crucial for HIPAA compliance. But what is HIPAA complaint cloud storage exactly, and what do you need to look out for when selecting cloud storage services from vendors?
What Is HIPAA Compliant Cloud Storage?
Via the HIPAA Security Rules, HIPAA requires that healthcare organizations ensure the adequate protection of PHI and electronic PHI (ePHI) through appropriate technical, physical, and administrative safeguards.
In effect, this means that HIPAA compliance depends on the actions of people as much as it does on data security technology. Importantly, these mandates not only concern healthcare organizations themselves, but any cloud service providers they work with as well.
A HIPAA compliant cloud storage service provider will meet implement the necessary technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of all ePHI in its control.
So, let’s break down the safeguards and data security controls your cloud storage partner must provide to ensure HIPAA compliance.
The HIPAA Journal provides a HIPAA Compliance Checklist detailing the three types of safeguard all HIPAA covered entities and their business associates must implement to comply with the HIPAA Security Rule.
Technical safeguards are those that rely on technology to protect ePHI and control access to it. The most important function of any technological storage is that all ePHI data – whether at rest or in transit – is encrypted to NIST standards. This ensures that the data is indecipherable and unusable should a cybersecurity breach occur.
Further to this, the following technical safeguards must also be implemented.
(Image source: hipaajournal.com)
Administrative safeguards refer to the policies and procedures HIPAA covered entities and cloud storage providers put in place to ensure the ongoing protection of PHI.
A crucial element of administrative safeguarding is regular risk assessments, which must be carried out by an assigned Security Officer and Privacy Officer. These officers are also responsible for putting measures in place to protect ePHI, and for governing the HIPAA compliant conduct of the workforce.
(Image source: hipaajournal.com)
Your HIPAA Compliant Cloud Storage Provider Must Sign a Business Associate Agreement
Under HIPAA, any third-party a healthcare organization works with – including cloud storage providers – is classed as a business associate (BA). Business associates must also comply with HIPAA and sign a business associate agreement (BAA) with the healthcare organization before any data is uploaded to the BA’s cloud storage facility.
This is absolutely crucial. No cloud storage service is HIPAA compliant unless a BAA has been signed.
A BAA outlines exactly what the responsibilities of all parties are when it comes safeguarding ePHI.
While many popular cloud storage service providers will sign a BAA, not all are prepared to do so. Two prominent examples are WeTransfer and Apple iCloud – meaning that neither service provides HIPAA compliant cloud storage.
Other vendors will sign a BAA. These include Google Drive, Dropbox, Microsoft OneDrive, and Amazon Web Services (AWS). However, what’s important to note is that although they each support HIPAA compliance, the agreement will typically outline that it is down to the healthcare organization itself (not the cloud storage provider) to configure the system in accordance with HIPAA requirements.
This includes implementing and configuring access controls, audit controls, authentication controls, and in some cases encryption.
These are complicated processes and require constant monitoring and attention. As such, the best solution is to utilize the services of a HIPAA compliant cloud storage specialist.
HIPAA Compliant Cloud Storage from Central Data Storage
Ultimately, healthcare organizations have two main types of cloud storage provider to consider – generalists that support HIPAA by signing a BAA, and HIPAA specialists that work hand in hand with healthcare organizations to ensure HIPAA compliance.
Invariably, going with a HIPAA compliant cloud storage specialist is the best option.
At Central Data Storage, in addition to our beyond-military-grade HIPAA complaint cloud storage and file sharing solutions, we also offer round-the-clock service, data storage support and ongoing guidance on best practices for HIPAA compliance.
HIPAA compliant cloud storage is our business, and nothing is more important to us than the security of your ePHI, and we pride ourselves on developing true partnerships with the businesses we work with.
We help our clients develop policies, procedures, training programs and disaster recovery plans, and make sure they have technical, administrative, and physical safeguards implemented effectively.
We are approved by third-party auditors as 100% compliant with HIPAA, as well as the Health Information Technology for Economic and Clinical Health Act (HITECH), and the General Data Protection Regulation (GDPR).