Data privacy and security have become a central aspect of data handling today because of the many recent breaches and subsequent data loss. Governments are now enacting legislation to ensure that an individual’s data is always safe. One such federal law enacted by the US government is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Using a HIPAA-compliant cloud storage service is slowly becoming a necessity in today’s dynamic world.
The HIPAA law strives to protect patients’ sensitive information while the data records are in transit and storage. In this article, I’ll discuss what HIPAA is and how it applies to cloud storage. I’ll also review some of the top HIPAA-compliant cloud storage services available today.
But before that, let’s discuss the basics of HIPAA-compliant cloud storage.
What Is HIPAA-Compliant Cloud Storage?
As more healthcare providers move to the cloud to leverage its benefits, you need to understand the ethical and legal compliance that comes with it. This is where HIPAA comes in handy. When you comply with these HIPAA requirements, you’re likely to provide better data protection to your patients and, at the same time, comply with ethical and legal clauses.
So, how does HIPAA apply to cloud storage? Broadly speaking, a cloud storage provider must have the measures to protect your electronic patient health information (ePHI) from falling into the wrong hands. In addition, the provider has to protect this data while it’s in storage and transit.
Here are some provisions you must consider for HIPAA-compliant cloud storage, starting with the business associate agreement, or BAA for short.
Business Associate Agreement (BAA)
First, when information about a patient or an entity covered by health insurance gets stored in the cloud, it becomes eligible for HIPAA compliance. By law, the cloud service provider offering the storage services becomes your business associate. In turn, this makes the Business Associate Agreement (BAA) mandatory. Some of the criteria of this agreement are:
- Secure data storage
- Safe data transmission
- Controlled data access
- Logged activities related to a covered entity’s information
Confidentiality is all about preventing unauthorized access to your ePHI. Here, unauthorized access can be of two types. One is an intentional data breach with the target to cause harm and unintentional access due to carelessness, and the other is simply human error.
A cloud service provider must have measures to counter both confidentiality issues. Ideally, cryptography and the use of different symmetric and asymmetric encryption algorithms, such as RSA and Advanced Encryption Standards (AES), are necessary to prevent intentional data breaches. As for unintentional breaches, role-based and rule-based access control strategies come in handy.
Data integrity is a set of measures that prevent unauthorized data modification. It also stops unintentional modification by authorized users. To achieve data integrity, companies use a combination of hashing algorithms, security measures like configuration, baselining, and more. You want your cloud provider to have security measures that work in tandem with your company’s security policies.
Data availability includes the measures a cloud service provider takes to provide data for authorized users at all times. This is often implemented by a combination of strategies such as load balancing, fault tolerance, backup, redundancy, disaster recovery, and more.
Data classification is an essential HIPAA component as it helps identify the sensitivity levels of your ePHI records. It also distinguishes between regulated and non-regulated information. In turn, this can help you frame appropriate security policies to:
- Prioritize access and other security controls
- Streamline data discovery
- Reduce the chances of data misuse or compromise
So, these are some important aspects to consider when considering HIPAA-compliant cloud storage in your company.
Not all storage services are HIPAA-compliant because they don’t offer the necessary features required to meet HIPAA’s criteria. iCloud, for example, isn’t HIPAA-compliant because it doesn’t offer a BAA.
Therefore, it’s important to choose service providers that are fully HIPAA-compliant, especially when you handle your customers’ ePHI. Let’s see how you can identify such providers in the next section.
Things to Consider before Choosing a HIPAA-Compliant Cloud Storage Provider
Identifying a HIPAA-compliant cloud storage provider isn’t difficult. Just know what questions to ask and what aspects to check. Remember, it’s up to you to ensure compliance, so choosing a service provider is critical. Gather all pertinent information before deciding on an appropriate provider.
Here are some things to look for when choosing a suitable HIPAA-compliant cloud storage provider:
- Inclusion of specific features for HIPAA compliance
- Evidence of HIPAA-compliant measures such as a BAA sample
- Documentation of Incident response process
- Documentation of Disaster recovery plan
- Experience of a data breach and its causes (more importantly, what were the measures taken to prevent such events?)
- Presence of a dedicated HIPAA compliance officer
If this sounds too overwhelming, don’t worry. I’ve compiled a list of the top HIPAA-compliant cloud storage services for you. I’ll discuss each one in detail in the next section!
Top 5 HIPAA-Compliant Cloud Storage Services
Our team extensively scoured the market to find the top HIPAA-compliant cloud storage services that offer all the features I discussed earlier. In addition, these services follow best practices for implementing BAA, encryption to protect your data, and more.
Without further ado, here are the top 5 HIPAA-compliant cloud storage services in the market today. Please note that all of these services sign a BAA with you, per HIPAA norms. Let’s start with GFI Archiver.
1. GFI Archiver
GFI Archiver is a good choice for securely storing your electronic communication and sharing it when needed. With this solution, you can archive your emails and files to reduce server space and retrieve them quickly. You can even index them to effectively search your attachments, files, messages, and emails.
Here’s a look at several features that help with HIPAA compliance:
- Supports rule-based archiving and classification
- Secures access and management of all electronic communication
- Stores information in a centralized and tamper-proof store
- Offers eDiscovery capabilities to authorized users
- Generates reports to identify risks
- Provides data control to users, as they can manually archive emails and messages at any time
In all, GFI Archiver is a good choice for any company looking to archive its emails, faxes, attachments, and other electronic communication in a safe and secure place.
Dropbox is a popular choice for storing and retrieving data through a web interface or a desktop/mobile app. It’s designed for secure storage of data and, in particular, helps healthcare providers and companies comply with HIPAA.
Here’s a look at some of Dropbox’s features that help with HIPAA compliance:
- Enables you to easily configure sharing permissions
- Disables permanent deletions if required
- Supports two-step verification to streamline access
- Integrates well with SIEM and identity management tools, such as SolarWinds and ManageEngine, to provide additional protection for your data
Overall, Dropbox strengthens the security and safety of your ePHI and simplifies HIPAA compliance for your company.
3. Google Workspace
Google Workspace is a suite of productivity tools that includes Google Drive, Gmail, Google Docs, and more. This suite is HIPAA-compliant and hence, works well for companies that want to securely store their ePHI data.
Below are some important features of Google Workspace that support HIPAA compliance:
- Generates console reports and logs to identify potential security risks
- Streamlines access to services, like Google Docs, that may use your ePHI
- Empowers you to set file-sharing permissions
- Integrates well with third-party apps, though the onus on their functioning and compliance isn’t covered by Google’s BAA
So, Google Drive is another comprehensive choice to store your ePHI, as it supports secure storage, transmission, and retrieval of data.
4. Acronis Cyber Cloud
Acronis Cyber Cloud uses automation and Artificial Intelligence (AI)to secure your data from malware and unauthorized access. It also offers a wide range of storage products to suit your business’s specific needs.
Let’s now look at some features of Acronis Cyber Cloud that enable HIPAA compliance:
- Supports two-factor authentication to securely store your ePHI
- Uses encryption for data archival and backup
- Enables you to control configurations
- Regulates access provisioning
In all, Acronis Cyber Cloud is a good choice if you want to store your ePHI in the cloud. In particular, its many cloud storage choices offer a ton of flexibility for your business.
Backblaze is an affordable and reliable cloud storage service, making it a good choice for small and medium businesses. A highlight of this service is its AES 128-bit encryption algorithm that encrypts your device’s data before transmitting it to the cloud storage. This ensures additional protection for your data.
Here’s a look at some of Backblaze’s features that help with HIPAA compliance:
- Uses encrypted storage pods to safely store your data
- Supports the use of public key cryptography
- Provides single sign-on and two-factor authentication to streamline access
In all, Backblaze helps to keep your data safe using encryption and other security-related technologies.
Before I end, let’s have a quick recap of all you’ve learned so far.
To conclude, HIPAA is a mandatory regulation that applies to all confidential information, such as patient health records stored both on-premise and in the cloud. As a company, you must choose a cloud provider that complies with HIPAA provisions. Be sure to ask the right questions before making a decision!
I’ve shared with you a list of the top cloud providers, and I hope this helped. Feel free to refer back to this article for future reference.
Do you have any more questions about HIPAA-compliant cloud storage services? Check out the FAQ and Resources sections below!
Does a Business Associate Agreement (BAA) guarantee compliance?
No. A BAA doesn’t automatically guarantee compliance. You’ll still have to do many things like having a security policy in place, establishing appropriate configurations, etc., to ensure HIPAA compliance. The BAA only authorizes the cloud service provider to safely store and transmit data when needed.
What’s the single most important feature for HIPAA compliance?
While it’s hard to pinpoint a single feature, data classification is one of the biggest. You must have separate provisions for maintaining the sensitive data of patients, while the data security requirements aren’t so stringent for non-sensitive data. This classification also helps with planning and accounting.
Can cloud storage be HIPAA-compliant?
Yes. Cloud storage can be HIPAA-compliant. However, you need some security controls and configurations like encryption to monitor the storage and use of sensitive data. These controls must include every possible step to protect sensitive data.
Can I store my HIPAA data in the cloud?
Yes, you can store your HIPAA data on the cloud. However, you must take all the necessary precautions for your electronic Patient Health Information (ePHI), just like your on-premise PHI. Also, you need a BAA with your cloud storage service provider.
Is Apple iCloud HIPAA compliant?
No. Apple has announced that it’s not HIPAA-compliant as it doesn’t agree to sign a BAA with any company. This means you can’t use the Notes app on your iPhone and iPad to write or store any patient information.
Subscribe to our newsletters for more quality content.
TechGenix: Article on the Privacy and Security Rules of HIPAA
Learn more about the privacy and security rules of HIPAA.
TechGenix: Article on Avoiding HIPAA-Compliance Breaches
Educate yourself on how to avoid HIPAA compliance breaches.
TechGenix: Article on Choosing a HIPAA-Compliant Provider
Learn more about what questions to ask when choosing a HIPAA-compliant provider.
TechGenix: Article on the Impact of HIPAA’s New Rules
Read about the possible impact of HIPAA’s new rules.
TechGenix: Article on Using the ISA Firewall for HIPAA-Compliance
Learn how ISA firewalls can help with HIPAA compliance.