HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA-Compliant Cloud Storage

Many healthcare organizations are abandoning traditional on-premises IT architectures and are turning to cloud applications and HIPAA cloud storage solutions to improve efficiency and cut costs.

The transition to the cloud makes a great deal of sense. Through the cloud, healthcare providers can become more agile, improve efficiency, and access and exchange data much more quickly. By storing data in the cloud, information can be rapidly accessed from any location, by any authorized individual, on demand.

Many healthcare providers have opted for a hybrid cloud strategy and use a combination of public and private clouds with traditional on-premise infrastructure to ease the transition. Applications and IT functions that are easy to move to the cloud have been migrated, but others, such as those related to patient information, require greater care and remain on-premises.

The Health Insurance Portability and Accountability (HIPAA) Act does not prohibit the storage of protected health information (PHI) in the cloud. The legislation just requires certain privacy and security protections to be in place to ensure the confidentiality, integrity, and availability of ePHI.  Provided a HIPAA cloud storage service is used and ePHI is encrypted, cloud data storage services can be used to store files containing ePHI and host applications that collect or process health data.

Please see the HIPAA Journal Privacy Policy

HIPAA Compliant Cloud Storage

Any service provider offering a HIPAA-compliant cloud storage service must ensure multiple safeguards are implemented to ensure sensitive data is protected at all times. Robust access controls must be in place, event logging is required to maintain an audit trail, and the hosting provider must conduct regular, rigorous assessments to ensure its platform remains secure and in compliance with HIPAA.

In addition to stringent privacy and security controls, hosting providers are required to sign a business associate agreement with HIPAA covered entities. The BAA is a contract with the hosting provider which outlines its legal obligations under HIPAA.

The HIPAA Security Rule requires cloud storage services to include safeguards to ensure the privacy and security of healthcare data, but also to ensure that information is always available. A HIPAA cloud storage solution must have near- 100% uptime to ensure ePHI can always be accessed, along with robust backup policies to ensure data can be recovered in the event of disaster.

Choosing a HIPAA Cloud Storage Solution

Any cloud storage platform must satisfy all relevant provisions of the HIPAA Privacy and Security Rules before it can be used in connection with any ePHI. HIPAA requires covered entities to obtain reasonable assurances that a service provider is in compliance with HIPAA. This is achieved through the business associate agreement, a signed copy of which must be obtained before the service is used.

Accreditation from a third-party compliance firm is a good guide as to which companies are committed to compliance. They demonstrate that a company has undergone a compliance assessment and has been verified as compliant with all aspects of HIPAA Rules.

Look for a HIPAA cloud storage solution provider that offers a service level agreement (SLA) guaranteeing high performance and near 100% uptime to ensure that all stored data can be accessed the instant it is required.

Ensure data is encrypted at rest and in transit to the standard recommended by the National institute of Standards and Technology (NIST) and data is stored in secure data centers.

Ensure your hosting company has a robust disaster recovery plan to ensure that data can be recovered in the event of disaster, including offsite backup storage.