Cloud computing is evolving every day, and with it comes talk about HIPAA compliant private clouds. But many health care providers are hesitant to adopt the cloud due to the perceived security risks. With evolving cybersecurity threats and a changing legal landscape surrounding the confidentiality, availability, and integrity of sensitive healthcare data, it can be difficult to determine if cloud computing is the best option for your business. Today, we’re going to explain what you need to know about using cloud storage for HIPAA compliancy.
Understand that Many Cloud Services Claim to Offer HIPAA Compliance
HIPAA is a huge part of the cloud storage industry. That’s why many cloud storage providers have risen to meet the needs of medical companies. A number of cloud storage companies claim to offer HIPAA-compliant services, including Amazon, Box, and Google Drive. Obviously, not all of these HIPAA compliant services are built the same way.
For example, Google Drive for Business allows a domain administrator to sign a Business Associate Agreement (BAA) covering Gmail, Google Drive, Google Calendar, and Google Vault. Typically, these services aren’t HIPAA compliant on their own. However, if your domain administrator can disable all other Google services from the domain and make sure you keep the correct password policies and other security measures, then Google Drive can be made HIPAA compliant for cloud storage.
Amazon, on the other hand, is not HIPAA compliant out of the box. However, Amazon’s AWS service can be used to build HIPAA-compliant cloud storage. This process is a little more intensive. Amazon will give you the dedicated servers and a BAA but it’s up to you to configure these servers yourself for maximum security.
However, There Are No HIPAA-Certified Cloud Service Providers
All of the above cloud services claim to offer HIPAA compliant cloud storage. However, the US Department of Health and Human Services (HHS) does not require or formally recognize any HIPAA certification programs for cloud storage providers. In other words, these providers can make all the claims they like – but they’re not necessarily true. Of course, that doesn’t mean you can’t make cloud storage HIPAA compliant. Look for a cloud service provider that has the necessary controls and processes in place to comply with HIPAA requirements.
One of the best ways to find a cloud storage provider like this is to identify providers that undergo annual independent audits. Some cloud service providers audit themselves to measure up against the Office of Civil Rights HIPAA Audit Protocol. When a cloud storage provider does this, it proves to you that they’re taking HIPAA compliancy very seriously.
Characteristics of HIPAA Compliant Private Clouds
HIPAA compliant private clouds typically have some common characteristics, including:
- Built on dedicated, compliance-critical hardware using advanced software features
- Use the highest level security features, including enterprise-grade antivirus and other protective measures
- Fully encrypted from the ground up
One of the hardest jobs of finding the right cloud storage provider is doing your due diligent research. All cloud storage services promise to keep your information “secure”. But some companies take that responsibility more seriously than others.
The Importance of a Business Associate Agreement (BAA)
When you’re researching private cloud options for HIPAA compliancy, you’ll see lots of mentions of business associate agreements or BAAs. The reason BAAs are so important is that business associates are a critical part of HIPAA. When you sign a BAA with someone, that expands many of the requirements for HIPAA compliancy to that new business associate.
Business associates are roughly designed as the following under HIPAA:
“A person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of Protected Health Information (PHI).”
It’s very important that you sign a BAA with your cloud service provider. This written contract extends HIPAA requirements to that cloud storage provider. It ensures that the cloud storage provider is legally obligated to protect the privacy and security of PHI when it’s on their cloud servers.
Understand that Encryption Isn’t Required Under HIPAA
One funny quirk of HIPAA is that encryption is not mandatory for health care providers. For all HIPAA is concerned, you can store sensitive patient data in clear text format. Of course, that doesn’t mean you should. Encrypting your data provides safe harbor. It ensures if your data is somehow breached or lost, it won’t be exposed to the internet because it was encrypted.
Even though HIPAA doesn’t specifically require encryption, you should encrypt PHI in all possible locations.
How Leverage Can Help
Leverage Technologies specializes in creating HIPAA compliant cloud storage solutions for your business. We have created systems, tools, and procedures that help our customers efficiently integrate their assets with our own products and services to ensure HIPAA compliancy.
Contact us today to see how easily we can implement effect HIPAA compliant private clouds for your business.