Understanding what HIPAA-compliant cloud storage necessitates requires at least a general understanding of what HIPAA is and what the cloud is. Obtaining and comprehending that information helps everything else fall into place.
Born in 1996 from the pursuit of protection of the privacy of a person s individual health information came the Health Insurance Portability and Accountability Act (HIPAA). Through provisions branching from this act, protection extended beyond hardcopy reports to include a person s electronically stored and transferred health information.
Hovering over our heads is the omnipresent cloud. Easy to access from any device anywhere, it appears ideal for hosting files of important health-related data for your patients. However, this is information that can overload your hard drive and leaves you seeking a trustworthy data storage solution.
The cloud is a collection of software networks and remote servers that provide centralized access, offering protections complying with HIPAA regulations. With this understanding, we can now take a comprehensive look at HIPAA-compliant cloud storage.
Amazon: While not immediately HIPAA-compliant, Amazon S3 instructs you on how to configure HIPAA-compliant cloud storage. It provides the safety of a Business Associates Agreement (BAA), which is vital when storing this nature of information. If a data storage company does not offer a BAA, it is likely the company lacks compliance. So while Amazon openly requires your involvement in securing the data, the responsibility is always on you and not on any cloud storage solution, regardless of whether or not they tout a BAA and secured servers.
Google Drive: A modified Google Drive complies with HIPAA standards. A domain administrator-signed BAA can cover Gmail, Google Calendar, Google Vault and Google Drive. If you ensure that no other Google services are enabled to work with these services and you uphold rigorous password complexities, you can use Google for storage.
Box: In the same fashion as Google Drive, Box makes customers responsible for configuration of the storage in compliance with HIPAA but provides a signed BAA for these specific and upgraded accounts. Users must enforce Box's organizational policies regarding access and data-handling security in order to maintain HIPAA standards.
CrashPlan PRO: CrashPlan PRO has a stout 448-bit Blowfish encryption method that encrypts files before extracting them from your computer and moving them to its secured servers. This cloud method also has a user-friendly desktop.
Are You Already Compliant?
Numerous companies promise HIPAA-compliant storage solutions. However, you might already use data storage companies either personally or for your business that could work.
However, Dropbox and iCloud storage are not acceptable, according to HIPAA standards. Dropbox does not offer auditing capabilities, which are required by HIPAA. Dropbox also contains metadata and assigns unencrypted identifiers to aspects of a file, thereby violating HIPAA s total encryption requirement. Since Apple refuses to sign a BAA we can assume Apple does not protect data to the standards required by HIPAA.
The Omnibus Rule
As mentioned before and decreed in 2013, the responsibility is on you when it comes to HIPAA compliance. While your storage solution must comply, you must uphold state standards as well as HIPAA requirements.
You should ensure that you encrypt these to HIPAA standards:
- The upload of any data to the cloud
- The download of any data from the cloud
- The storing of any data in the cloud
- The removal of any data from the cloud
Things to Remember
HIPAA compliance involves more than just the storage of protected health information. Regular audits assess risk, removal of any vulnerabilities, the storage service purchases you make and the policies you enforce across your organization. These audits are vital to achieving a total HIPAA-compliant solution.