Guide to Understanding HIPAA-Compliant Cloud Storage for Health IT

These days, a lot of healthcare IT professionals are turning to HIPAA-compliant cloud storage tools for remote file-sharing, custom applications, data storage, and networking options. So, what is the cloud, what benefits it offers to healthcare organizations, and how can organizations ensure compliance with HIPAA regulations in cloud storage? Keep reading below to find out!

Cloud Explained

The term “cloud” describes different types of internet-based computing services that share resources and data with connected devices as needed. Cloud technology is ideal for fast-paced environments, like most healthcare settings, as it allows data to be shared conveniently between organizations, which can improve patient care.

Benefits of Using Cloud Technologies In Healthcare

• Gives Actionable Insights – Cloud computing can empower all the stakeholders with accurate data for proper decision-making
• Is Cost-Effective – The cloud services are cost-effective and mostly available on a subscription basis or organizations can pay as per usage
• Provides Transparency – Healthcare professionals and patients can access the information freely
• Provides Business Continuity – Disaster recovery and security of confidential health information is less worrisome

Different Types of Cloud Service Models

Here are some available cloud service models used by healthcare IT companies:

1. Software as a service (SaaS) – SaaS is the most basic type of cloud computing that allows users to access centrally-stored data through a web browser. This type of solution is perfect for smaller organizations because the vendor typically takes care of most of the maintenance and upkeep. SaaS solutions are commonly used for health IT functions such as electronic health records (EHRs) and health information exchange (HIE).
2. Platform as a service (PaaS) – PaaS offerings allow health IT professionals to build and deploy custom applications without having to manage or maintain the underlying infrastructure. PaaS allows users to access healthcare data through a custom app instead of through a web browser. The operating system and network are maintained by the vendor, making it ideal for mid-sized to large organizations with dedicated developers.
3. Infrastructure as a service (IaaS) – IaaS provides an organization with the ability to store, access, and manage data on a cloud infrastructure. The organization does not have direct control over the underlying cloud infrastructure but can control the operating systems, storage, and applications that are deployed on it. IaaS can help large institutions such as hospitals and medical groups manage their environment, but doing so requires a skilled IT staff.

7 Best HIPAA-compliant Cloud Storage Services

If you are looking for a HIPAA-compliant cloud storage service, here are some most trusted options:

1. Google Cloud Drive

Google began signing Business Associate Agreement (BAA) covering Gmail, Google Drive, Google Calendar, and Google Vault in 2013. This made Google Cloud Drive secure and garnered rave reviews from healthcare industry pros.

According to HIPAA Journal, “G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.”

2. Microsoft OneDrive

Microsoft supports HIPAA-HITECH (Health Information Technology for Economic and Clinical Health) technology. The company offers BAAs for enterprise cloud services and has signed agreements for mail, file storage, and calendars to protect PHI. Furthermore, Microsoft is known for offering some of the most effective cloud security tools in the industry.

3. Amazon (AWS)

Amazon S3 provides detailed instructions on how to configure HIPAA-compliant cloud storage for AWS users and offers to sign a Business Associate Agreement (BAA) with them. It provides cloud services to various leading healthcare and life science brands.

“In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule,” states AWS on its compliance page.

4. Box

Box has been actively marketing to healthcare industry professionals since adding HIPAA/HITECH support in 2013. Features it offers are access logs monitoring and granular file authorizations. Box provides BAAs for enterprise accounts.

“All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud,” states Box page for HIPAA compliance.

5. Atlantic.Net

Atlantic.Net is fully compliant with HIPAA and HITECH regulations. It offers a full suite of security services that enable organizations to meet all of their cybersecurity, HIPAA-compliant hosting, and cloud storage needs.

Their storage infrastructure is highly resilient and can accommodate growing workloads. Their end-to-end service is managed completely in-house, which helps them boost their security. They also have a Business Associate Agreement (BAA), which helps to ensure that their patients’ data remains secure.

6. Dropbox (Business)

In November 2015, Dropbox announced that it is compliant with the HIPAA and HITECH Act, and as a result, is providing Business Associates Agreements (BAAs) to Dropbox Business customers. Some of the administrative controls that have been put in place to ensure compliance include review and removal of linked devices, user activity reports, and enabling two-factor authentication.

7. Carbonite

Carbonite for Office customers receives BAAs that include offsite backup for disaster recovery, compliance with the Massachusetts Data Security Regulation, and data encryption both in the cloud and on the local endpoint.

While cloud-based tools offer many benefits to healthcare organizations, they function differently than other storage or information sharing solutions. As users can access data through an internet connection, HIPAA compliance becomes a serious consideration for healthcare organizations.

Essential Security Features To Look For In a Cloud Storage Provider

To ensure HIPAA compliance, a cloud storage service must offer:

• A two-step authentication or single sign-on and encryption of transferred ePHI between different devices
• Configuration of file sharing access so that access to unauthorized users is restricted. The ways to restrict access can be via passwords, two-factor authentication, etc.
• Monitoring access logs regularly to know of any improper and unauthorized activity and ensure change immediately
• Data classification to group and protect data as per its sensitivity level
• Safe location, preferably in the US. Even though HIPAA allows the storage of ePHI data on cloud servers located outside of the US, guidance issued by the federal government suggests that businesses must take action to mitigate risk if the data is stored outside of the United States

4 Questions To Ask Your HIPAA-Compliant Cloud Storage Provider

Before hiring a cloud hosting service provider, ask them the following questions to ensure they will be HIPAA compliant:

1. Will you sign a Business Associate Agreement (BAA)?
A BAA is a written agreement between your business and a hosting provider that outlines the required use, storage, and handling of health information. If the CSP (cloud service provider) doesn’t have an agreement, the agreement is confusing, or if it doesn’t provide a clear description of the services, it’s not ready to manage your dat

2. Do you have an incident response plan to handle data breaches?
Having experienced data breaches should not be a deal-breaker. The important thing is how they recovered from the incident. An incident response plan should be in place that describes how they will handle any type of security breach or attack on their IT systems. It should outline the steps on how it will take to discover a breach, identify its cause, and remediate the damage.

3. Can you provide a comprehensive security overview?
There is no standard attestation for HIPAA compliance. Therefore, find out what types of audit reports they provide: SSAE 16 Type II, HITRUST CSF, SOC 2 Type II, etc. This will give you info about their ability to help with your annual auditing tasks.

4. Do you have a dedicated HIPAA compliance officer (HCO)?
The HIPAA compliance officer is responsible for overseeing the implementation of privacy and security measures for PHI handled on the cloud. While this role can be handled in-house, if the cloud service provider has a certified HCO, it means it takes HIPAA compliance seriously.

Make Sure You Are Using a HIPAA-Compliant Cloud Storage

Using a trusted cloud provider is critical but does not guarantee HIPAA compliance, even when the cloud service signs a BAA and offers encryption and administrative security controls. Remember, the businesses using cloud services are responsible for ensuring HIPAA compliance. In such cases leveraging the expertise of a Healthcare IT service provider is not a bad idea.

With demonstrable experience working with healthcare organizations to optimize business applications, data, business process migration, etc., Boston Technology Corporation (BTC) can help you develop a flexible and secure cloud computing environment to store and share data. To learn how you can achieve this, contact us today!