HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Cloud Computing HIPAA Compliant?

Cloud computing has revolutionized the way healthcare organizations operate, but ensuring cloud computing is HIPAA compliant can be a challenge.

Many healthcare organizations have already embraced cloud technologies, but as with any technology, care must be taken as there is considerable potential for HIPAA violations in the cloud. Here we consider how healthcare organizations can use cloud computing in a HIPAA-compliant manner.

There is an extensive range of Cloud Service Providers (CSPs) and their products differ in terms of storage limits, accessibility, and security configurations, Covered Entities are advised to research CSPs and ensure that a product supports HIPAA compliance. They should establish how they will use the cloud computing technologies, conduct a risk assessment, and ensure all staff members are trained on how to use a CSP’s products and services.

All CEs are required to obtain a signed business associate agreement (BAA) from their chosen CSP prior to using that service in connection with any protected health information (PHI). BAAs outline the responsibilities of each party under HIPAA. Many CSPs – including Amazon, Microsoft, and Google – are willing to sign BAAs with CEs.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BAAs are required for HIPAA compliance but they do not guarantee compliance. CEs should also consider signing a service level agreement with their CSPs, which states the technical aspects of data protection. Though these are not strictly required by HIPAA, the SLAs can establish protocols for data backups and how data will be handled upon the termination of the BAA, which are both covered by HIPAA.

HIPAA requires data to be encrypted in transit or at rest. CSPs should provide encryption that meets the minimum recommendations of the National Institute of Standards and Technology (NIST). This is a necessary step to ensure compliance with the HIPAA Security Rule. CEs must also ensure only authorized individuals can access PHI. This requires careful consideration and configuration of the CSP’s security controls; how this is done will depend on the platform.

All electronic PHI must be stored on a secure server. CSPs may store data in multiple data centers, even overseas, it is the responsibility of the CE to ensure that data is stored in a HIPAA-compliant manner. HIPAA requires CEs to be transparent in their use of cloud computing services. An audit trail should be maintained and logs created and maintained of all users that access PHI. Those logs must be regularly reviewed to identify any unauthorized access.

Is Cloud Computing HIPAA Compliant?

The healthcare cloud computing market is expected to exceed $88 billion by 2027. The increased number of providers offers a wealth of choices for CEs, but they must take care when choosing a CSP. CEs should only choose a provider that will sign a BAA, as CSPs are classed as business associates under HIPAA. Companies that claim their cloud computing services are HIPAA compliant should not be taken at face value. CEs should research how the provider handles data and – if possible – determine if there have been any previous HIPAA breaches connected with the service.

The correct use of cloud computing offers many benefits for healthcare providers, and cloud computing can be used without violating the HIPAA Rules; however, there are challenges in ensuring HIPAA compliance and HIPAA violations often occur in the cloud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.