These days, a lot of healthcare IT professionals are turning to HIPAA-compliant cloud storage tools for remote file-sharing, custom applications, data storage, and networking options. So, what is the cloud, what benefits it offers to healthcare organizations, and how can organizations ensure compliance with HIPAA regulations in cloud storage? Keep reading below to find out!
The term “cloud” describes different types of internet-based computing services that share resources and data with connected devices as needed. Cloud technology is ideal for fast-paced environments, like most healthcare settings, as it allows data to be shared conveniently between organizations, which can improve patient care.
Here are some available cloud service models used by healthcare IT companies:
If you are looking for a HIPAA-compliant cloud storage service, here are some most trusted options:
Google began signing Business Associate Agreement (BAA) covering Gmail, Google Drive, Google Calendar, and Google Vault in 2013. This made Google Cloud Drive secure and garnered rave reviews from healthcare industry pros.
According to HIPAA Journal, “G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.”
Microsoft supports HIPAA-HITECH (Health Information Technology for Economic and Clinical Health) technology. The company offers BAAs for enterprise cloud services and has signed agreements for mail, file storage, and calendars to protect PHI. Furthermore, Microsoft is known for offering some of the most effective cloud security tools in the industry.
Amazon S3 provides detailed instructions on how to configure HIPAA-compliant cloud storage for AWS users and offers to sign a Business Associate Agreement (BAA) with them. It provides cloud services to various leading healthcare and life science brands.
“In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule,” states AWS on its compliance page.
Box has been actively marketing to healthcare industry professionals since adding HIPAA/HITECH support in 2013. Features it offers are access logs monitoring and granular file authorizations. Box provides BAAs for enterprise accounts.
“All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud,” states Box page for HIPAA compliance.
Atlantic.Net is fully compliant with HIPAA and HITECH regulations. It offers a full suite of security services that enable organizations to meet all of their cybersecurity, HIPAA-compliant hosting, and cloud storage needs.
Their storage infrastructure is highly resilient and can accommodate growing workloads. Their end-to-end service is managed completely in-house, which helps them boost their security. They also have a Business Associate Agreement (BAA), which helps to ensure that their patients’ data remains secure.
In November 2015, Dropbox announced that it is compliant with the HIPAA and HITECH Act, and as a result, is providing Business Associates Agreements (BAAs) to Dropbox Business customers. Some of the administrative controls that have been put in place to ensure compliance include review and removal of linked devices, user activity reports, and enabling two-factor authentication.
Carbonite for Office customers receives BAAs that include offsite backup for disaster recovery, compliance with the Massachusetts Data Security Regulation, and data encryption both in the cloud and on the local endpoint.
While cloud-based tools offer many benefits to healthcare organizations, they function differently than other storage or information sharing solutions. As users can access data through an internet connection, HIPAA compliance becomes a serious consideration for healthcare organizations.
To ensure HIPAA compliance, a cloud storage service must offer:
Before hiring a cloud hosting service provider, ask them the following questions to ensure they will be HIPAA compliant:
1. Will you sign a Business Associate Agreement (BAA)?
A BAA is a written agreement between your business and a hosting provider that outlines the required use, storage, and handling of health information. If the CSP (cloud service provider) doesn’t have an agreement, the agreement is confusing, or if it doesn’t provide a clear description of the services, it’s not ready to manage your dat
2. Do you have an incident response plan to handle data breaches?
Having experienced data breaches should not be a deal-breaker. The important thing is how they recovered from the incident. An incident response plan should be in place that describes how they will handle any type of security breach or attack on their IT systems. It should outline the steps on how it will take to discover a breach, identify its cause, and remediate the damage.
3. Can you provide a comprehensive security overview?
There is no standard attestation for HIPAA compliance. Therefore, find out what types of audit reports they provide: SSAE 16 Type II, HITRUST CSF, SOC 2 Type II, etc. This will give you info about their ability to help with your annual auditing tasks.
4. Do you have a dedicated HIPAA compliance officer (HCO)?
The HIPAA compliance officer is responsible for overseeing the implementation of privacy and security measures for PHI handled on the cloud. While this role can be handled in-house, if the cloud service provider has a certified HCO, it means it takes HIPAA compliance seriously.
Using a trusted cloud provider is critical but does not guarantee HIPAA compliance, even when the cloud service signs a BAA and offers encryption and administrative security controls. Remember, the businesses using cloud services are responsible for ensuring HIPAA compliance. In such cases leveraging the expertise of a Healthcare IT service provider is not a bad idea.
With demonstrable experience working with healthcare organizations to optimize business applications, data, business process migration, etc., Boston Technology Corporation (BTC) can help you develop a flexible and secure cloud computing environment to store and share data. To learn how you can achieve this, contact us today!
Comments