Cloud Storage and HIPAA Compliance – What You Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) has been around for more than two decades. But the rapid adoption of cloud services in recent years has created new challenges for healthcare providers, payers, researchers, and others who handle sensitive health data. If you’re storing or transmitting patient data as part of your business operations, it’s important to understand how HIPAA applies to your organization and your cloud storage solutions. In this post, we’ll cover some general principles regarding HIPAA compliance, how it affects cloud storage, and how to choose the best HIPAA compliant cloud storage. If you store user information in a Google Drive within your business apps or an Amazon S3 bucket as part of a system… Keep reading to learn if this places you at risk for non-compliance with the standards set forth by HIPAA.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a set of standards that protect sensitive information, reduce medical costs, and increase efficiency in the healthcare industry. The standards are applied to any organization that handles protected health information (PHI) – including healthcare providers, health plan administrators, and medical researchers. The U.S. Department of Health and Human Services (HHS) is the governing authority that enforces HIPAA compliance.

Why is cloud storage an issue for HIPAA compliance?

The biggest concern is that the cloud is not a HIPAA-compliant environment. It’s not that cloud storage providers are maliciously trying to steal your data – it’s just not in their best interest to maintain the same level of security that healthcare providers need to comply with HIPAA. The cloud offers significant advantages for businesses looking to adopt a modern data architecture. But the risk of losing control of sensitive data is significant – particularly when it comes to storing or transmitting protected health data (PHI) in EMR systems.

What does HIPAA require?

HIPAA does not require that businesses adopt a cloud data storage solution. In fact, the law recognizes that cloud storage was not a viable option when it was initially written. While some aspects of HIPAA may be outdated, the protections afforded to sensitive information still hold true today. That being said, here are a few requirements that businesses should keep in mind when storing or transmitting protected health information:

• Data must be localized – Businesses must store PHI in a location that is both owned and operated by themselves. This means your data center or on-premise servers – not a public cloud provider. 
• Data must be encrypted in transit – Businesses must use a method of encryption when transmitting PHI over networks. 
• Data must be encrypted at rest – Businesses must also use encryption at rest – particularly when storing PHI in an online environment.

Is cloud storage inherently non-compliant with HIPAA?

The rapid adoption of cloud services by healthcare providers has led many to conclude that cloud storage is inherently non-compliant with HIPAA. This couldn’t be further from the truth. 

• All providers with a HIPAA Business Associate Agreement (BAA) in place are compliant with HIPAA. 
• There are a number of ways to ensure that your cloud storage solution is HIPAA-compliant. These include:
  • Encrypted communications – Data must be encrypted both in transit and at rest.
  • Controlled access – Employers must be able to verify who is accessing sensitive data – particularly where employees are using a SaaS solution.

How can you ensure compliance with your cloud storage platform?

It’s important to understand the risks associated with storing or transmitting PHI in the cloud. But it’s equally important to finding a solution that addresses those risks and enables your organization to take full advantage of the cloud. Before you sign a contract with a cloud provider, make sure you’ve thoroughly researched their security and privacy options. Specifically, look for a BAA – which ensures that the provider is HIPAA compliant. Furthermore, make sure you have a clear understanding of who can access sensitive data and how they can access it. Ensure that your cloud provider offers encryption at rest and in transit. And make sure that their terms of service include an acknowledgment that they are solely responsible for any breaches related to their service.

Conclusion

HIPAA rules have been around since 1996. And while they were initially intended to apply to completely on-premise solutions, they are still very much in effect today. The cloud offers significant advantages for businesses looking to adopt a modern data architecture. But the risk of losing control of sensitive data is significant. Before storing or transmitting PHI in a public cloud provider, make sure you’ve taken the necessary steps to ensure compliance with HIPAA.