What is a HIPAA Compliant Cloud Drive?
There is no doubt that using the cloud for data storage offers many benefits, but healthcare organizations need to ensure a HIPAA compliant cloud drive is used to store the protected health information of patients and health plan members. But what is a HIPAA compliant cloud drive? What is the difference between a HIPAA compliant cloud drive and any other form of cloud storage?
What is a HIPAA Compliant Cloud Drive?
Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is used to secure data in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, the HIPAA Security Rule could easily be violated.
A HIPAA compliant cloud drive will incorporate all the necessary controls to ensure the confidentiality, integrity, and availability of electronic protected health information is safeguarded. The cloud service provider will agree to implement safeguards to secure data transmitted to the cloud, to store data securely, and to provide a system that allows data access to be carefully controlled. The platform will also record logs of all activity, including successful and failed access attempts.
It is up to the covered entity to ensure policies and procedures are developed covering use of the cloud with respect to ePHI and that the cloud drive is configured correctly.
A Business Associate Agreement Must be Obtained from a Cloud Service Provider
Since access to data in the cloud is effectively given to the service provider, that entity is classed as a HIPAA business associate. Therefore, a HIPAA compliant business associate agreement must be obtained before any HIPAA-covered data is uploaded to the cloud. For any cloud storage service to be HIPAA compliant, the service provider MUST be prepared to sign a business associate agreement with the covered entity.
Many cloud service providers are prepared to sign a BAA with a covered entity’s and will agree to implement the appropriate controls to secure any data uploaded to their platform.
Google will sign a BAA for Google Drive. The business version of Google Drive is therefore a HIPAA compliant cloud drive. Box and Dropbox have also announced that they support HIPAA compliance and are prepared to sign a BAA, and Microsoft will sign a BAA for Microsoft OneDrive. iCloud on the other hand should not be used. At the time of writing, Apple will not sign business associate agreements with HIPAA covered entities.
A BAA by Itself Does Not Guarantee HIPAA Compliance!
Covered entities must obtain a BAA prior to any cloud service being used in conjunction with ePHI, but having a BAA is not sufficient to avoid a penalty for noncompliance with HIPAA Rules.
Before any cloud service is used, covered entities must conduct a comprehensive risk assessment. Any risks identified must be managed and policies and procedures developed for use of cloud services. The security controls put in place by their service provider must also be assessed.
Access controls must be configured correctly to ensure only authorized individuals are able to access cloud-stored data. Even though a cloud drive may meet the requirements of the HIPAA Security Rule, covered entities must ensure they comply with the requirements of the HIPAA Privacy Rule.
Covered entities should apply single sign-on controls, use two factor authentication, automatic logoff controls, secure passwords, and procedures should be developed that ensure ePHI is available in emergencies
Audit controls are required to ensure all activities in relation to ePHI are recorded. Regulators will require access to those logs in the event of an audit and covered entities are required to conduct regular checks of those logs to monitor for unauthorized activity.
Any data stored in the cloud should be encrypted and covered entities must ensure data uploaded to the cloud is encrypted in transit. Encryption algorithms must meet NIST standards.