The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is a HIPAA Compliant Cloud Drive?

Posted By on Nov 28, 2023

A HIPAA compliant cloud drive is a cloud-based file storage service that has the capabilities to support HIPAA compliance, that is configured to comply with the standards of the HIPAA Security Rule, and that is used compliantly by trained members of the workforce. Since the passage of HIPAA, many healthcare organizations have adopted cloud-based services; and, when these are used to create, receive, maintain, or transmit Protected Health Information, it is important they comply with HIPAA.

HIPAA and Cloud Computing

The Health Insurance Portability and Accountability Act was enacted just as the use of cloud-based services started to gain popularity in the 1990s. However, it was not until the early 2000s that cloud computing really took off – although healthcare organizations were slow to embrace the cloud. The situation is very different today. According to Market Data Forecast, in 2022 the healthcare cloud computing market was worth $5.22 billion and it is expected to reach $201.1 billion by 2032. 90% of healthcare organizations are already using cloud-based services or plan to use them by 2025.

Even though cloud computing services have now been widely adopted by healthcare organizations, there have been no changes to HIPAA to reflect the increased adoption. This is because HIPAA was written to be technology agnostic in order to ensure that when new technologies were introduced, the applicable standards could be easily applied to those technologies. Cloud services can be used by HIPAA covered entities and business associates to create, receive, maintain, or transmit PHI as long as they comply with the applicable standards.

What is a HIPAA Compliant Cloud Drive?

Because cloud drives are most often used for storing files and folders, the terms HIPAA compliant cloud drive and HIPAA compliant cloud storage are usually used interchangeably. However, there is a difference. A HIPAA compliant cloud storage service is a repository for files and folders accessible by authorized users, whereas a HIPAA compliant cloud drive not only stores files and folders but allows authorized users to share files and folders with other users, collaborate simultaneously, and synchronize changes to prevent scenarios in which multiple versions of the same document exist.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The difference between HIPAA compliant cloud storage and a HIPAA compliant cloud drive means that not only does a HIPAA compliant cloud drive service have to include the capabilities to securely store PHI in the cloud and ensure only users with authorization access it, but the service also has to include transmission security capabilities so files intercepted in transmission are undecipherable, and data loss prevention capabilities to prevent files being sent to unauthorized persons.

A Business Associate Agreement Must be Obtained from a Cloud Service Provider

If a HIPAA-regulated entity engages the services of any vendor to create, receive, maintain, or transmit PHI on their behalf, that vendor is classed as a business associate under HIPAA. If cloud services are used in connection with any PHI, including the storage and transmission of  PHI between authorized users, the Cloud Service provider (CSP) is a business associate and has responsibilities under HIPAA – even if the CSP only stores encrypted PHI and does not hold an encryption key for the data (also known as “no view, persistent access”).

HIPAA-regulated entities must enter into a HIPAA compliant business associate agreement with the CSP before any PHI is transferred to the vendor’s cloud service. The CSP – and any subcontractors used by the CSP – are contractually liable for meeting the terms of the business associate agreement and are directly liable for compliance with the applicable requirements of the HIPAA Rules. If a CSP is not prepared to enter into a business associate agreement, their services must not be used in connection with any ePHI.

In addition to a business associate agreement (BAA), many covered entities address other requirements through a service-level agreement (SLA). The BAA outlines the responsibilities of the CSP with respect to HIPAA, while the SLA deals with technical aspects such as availability and reliability of the service, data backups and recovery, the security responsibilities of each party, and how any stored data will be returned when the service is no longer used.

HIPAA Compliant Cloud Storage Requires More than a BAA!

Regardless of whether you refer to a cloud drive service as a drive or storage service, it requires more than a BAA to make the service HIPAA compliant. Most CSPs will only enter into a BAA with a covered entity if the covered entity subscribes to a business plan that includes the capabilities to support HIPAA compliance and configures the capabilities to comply with the applicable standards of the Security Rule. In the context of making a cloud drive HIPAA compliant, this means:

  • Assigning each user unique login credentials
  • Ensuring the drive can be accessed in an emergency
  • Ensuring automatic logoff is activated on each device
  • Encrypting PHI at rest and in transit
  • Activating access logs and audit controls
  • Activating data loss prevention controls
  • Backing up PHI (if not performed by the CSP)

Many CSPs provide guidance about how to configure their services to comply with HIPAA. One of the best examples is Google’s HIPAA Implementation Guide, which provides a step by step guide to configuring all the “core services” covered by its Business Associate Addendum to the Service Agreement. Microsoft also offers a more general guide which includes tips on training members of the workforce on best practices for using cloud drive services in compliance with HIPAA.

Summary

While there is no mention of HIPAA cloud storage and cloud computing in the HIPAA text, healthcare organizations can engage the services of CSPs and use their platforms to reduce costs, improve productivity, and connect and communicate more easily, provided they use HIPAA-compliant cloud services and obtain a BAA from the CSP. You can find out more about HIPAA cloud storage from the HHS, which recently published guidance for HIPAA-regulated entities on HIPAA compliant data storage in the cloud and the use of other cloud services in connection with ePHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist