HIPAA Compliant Cloud Storage


Within the healthcare sector there has been a massive shift in the last 10-15 years towards sharing Private health Information digitally to many different clients and business partners.

With the proliferation of digital Cloud storage lets there is an opportunity for HIPAA-governed bodies to move huge quantities of data and file to cloud storage. This allows them to space space on local servers, have an infinite amount of space available for expansion, more streamlined and simple sharing, easier to conduct backups and stronger security.

However, as with all digital innovations used in relation to PHI is must be considered whether everything is being completed in a HIPAA compliant fashion.

Despite the fact that the vast majority of cloud storage providers claim that they are HIPAA compliant, this simply means that their data centers and data management practices comply with privacy and security rules. The designation of being compliant with HIPAA cannot simply be earned by have the possibility to achieve HIPAA compliance in place, it is dependent on the specific configuration and how is it operated/used by subscribers with access to the cloud. For example, everything may have been set up in a HIPAA compliant way but there is nothing to stop a former worker gaining access with their old password and sharing/accessing information illegally.

If it also a requirement that a business associate agreement (BAA) has been completed between the HIPAA body and the cloud storage provider. In a number of cases cloud providers have been  unwilling to sign a BAA, meaning that the use of the service would contravene HIPAA legislation. The signing of a BAA between the cloud storage provider and the HIPAA-governed organisation  confirms that the cloud provider is HIPAA-compliant with physical and digital security, ePHI privacy, storage management and backup technology, user authentication and administrative processes.

Other HIPAA Rules & Cloud Storage 

It is also vital to consider how a prospective Cloud Storage supplier complies with the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Breach Notification Rule when deciding to enter into a BAA with them. We have broken these down as follows:

  • The HIPAA Privacy Rule: The aim of the HIPAA Privacy Rules is to safeguard the privacy of patient healthcare and payment data in order to eliminate possible abuse and fraud in the healthcare sector. It was titled the “Standards for Privacy of Individually Identifiable Health Information” by the Department of Health and Human Services (HHS)  when it was originally enacted in 2003. It included all allowable uses and sharing of protected health information (“PHI”) and apply regardless of where the information is stored, locally or in a cloud.
  • The HIPAA Security Rule: This protects individual from their patient data being stolen or illegally shared through the implementation of safe administrative, physical, and technical security processes.  It took effect on April 21, 2003, with a compliance date of April 21, 2005
  • The HIPAA Breach Notification Rule: This rule was introduced in January 2013 as part of the Final Omnibus Rule. It obligates HIPAA covered entities to make individuals aware that their unsecured protected heath information (PHI) has been breach illegally and may be used for ill purposes or shared with undesirable individuals – contravening HIPAA legislation. If a data breach takes place that impacts over 500 individuals, the Department of Health and Human Services’ Office for Civil Rights must be made aware “without unreasonable delay”, and certainly within 60 days of the the breach being identified.

Conclusion: HIPAA Complaint Cloud Storage

In order to achieve HIPAA compliance in relation to using cloud storage then there is a lot of hard work involved but it is worth it due to the many benefits that can be reaped from doing so. If you can. It is vital that you carefully consider a prospective cloud storage provider to ensure that they have everything in place to achieve HIPAA Compliance and will sign BAA with you. If these two things are not in place then you will likely be breaching HIPAA legislation and could be sanctioned with serious financial penalties due to this.

Once you have signed a BAA with a HIPAA complaint cloud service provider it will be important to create a pan and process for managing the use of the system to ensure that you, or any of your staff (both current and previous employees) breaches HIPAA rules.