If you work in the health care industry, you understand how vital HIPAA and HITECH compliance regulations are. Not only can a violation cost you thousands of dollars, but it can lead to the loss of trust from your patients too. And without trust, patients won’t show up. And without patients, your business won’t succeed. So, it’s imperative to keep all patient data secure and impenetrable.
But, in this digital age, that can be easier said than done. So many organizations experience data breaches every year, it almost seems impossible to keep any information safe anymore. And with cloud technology, the risk seems even greater than before.
Well, the good news is, it doesn’t have to be that way. There are plenty of reliable, secure cloud service providers out there that can keep your data safe. We’re going to review the four best HIPAA compliant cloud storage providers in this article. But first, let’s discuss what makes a cloud service provider HIPAA compliant.
What Does it Mean for a Cloud Provider to Be HIPAA Compliant?
When a health care organization utilizes a cloud storage provider, they will most likely be using the platform to store, process, maintain and transfer protected health information, or PHI. PHI includes information such as names, dates, social security numbers, biometric identifiers (retinal scans, fingerprints, etc.), account numbers, and more.
Under HIPAA Rules, patients have certain rights when it comes to their medical data, and this includes the protection of their information. And cloud service providers used by health care organizations must commit to protecting this information as well to comply with HIPAA laws. This is because HIPPA regulations define these providers as business associates.
What is a Business Associate
According to HIPAA, there are two types of entities that must comply with HIPAA Rules. These are covered entities and business associates. Covered entities are health care organizations that we all think about when we hear the word HIPAA. Business associates, on the other hand, may not come to mind but are just as responsible.
Business associates are third-party providers that covered entities utilize to help carry out functions that involve PHI. These providers can range from legal services to accounting firms.
Under the HIPAA Privacy Rule, covered entities can, “disclose protected health information to business associates if the providers or plan obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”
So, as the law sees cloud providers as a business associate, these cloud providers must maintain the standards listed above. And that all starts with a business associate agreement (BAA) in which business associates commit to their role of protecting PHI under HIPAA laws. But just because a cloud storage provider signs a BAA does not mean they are the best for the job.
So, to help you out, here are our top four HIPAA compliant cloud storage providers.
Top Four HIPAA Compliant Cloud Storage Providers
In no particular order, these providers will sign a BAA, along with providing an easy, secure way to configure the platform to maintain HIPAA compliance.
1. Microsoft OneDrive
Microsoft OneDrive is a great cloud storage option for health care providers. Through the use of Office 365, Microsoft is willing to enter into a BAA with covered entities, with the BAA automatically available to customers through an online service contract. Microsoft has undergone independent audits to verify that they have all the necessary privacy and security controls to comply with HIPAA Rules, and the platform boasts some of the most robust security measures out there.
But, remember, just like the other three providers on this list, having a BAA in place does not make your HIPAA compliant. You are still responsible for using the platform in a way that conforms to HIPAA Rules.
Box is another excellent choice for health care providers looking for a HIPAA compliant cloud storage provider- in fact, they heavily market to health care customers. They provide BAAs to Enterprise or Elite account holders, and the Box platform meets the obligations required by HIPAA and HITECH.
Similar to the other three providers mentioned on this list, a third-party auditor has evaluated Box to determine that the controls Box offers its customers can, in fact, meet HIPAA Rules for privacy and security.
One of the best features Box offers it’s health care clients is the ability to import, share, and view DICOM files (X-rays, CT scans, Ultrasounds, and MRIs) securely in the cloud.
3. Google Drive
The third provider we’re mentioning as one of the best HIPAA compliant cloud storage services is Google Drive. Once again, Google Drive offers BAAs for paid users, which must be signed before a covered entity can start storing PHI in the platform. However, just like the other platforms, a BAA does not mean a HIPAA covered entity is free to use the service with PHI. The weight of configuration lays on the shoulders of the covered entity.
This configuration includes access controls, file syncing, link sharing, and more. One control covered entities must pay special attention to with Google Drive is third-party apps and add-ons. External apps and tools are extremely popular in the Google ecosystem, but the BAA is only between Google and the covered entity, it does not cover these third-party add-ons.
4. Amazon S3
And last but not least, Amazon S3 is another cloud storage provider that can be configured for HIPAA compliance. They even offer helpful templates to assist with configuring a HIPAA approved architecture. When organizations set up and maintain security settings correctly, HIPAA compliance is entirely possible in this cloud environment.
Along with signing a BAA, Amazon is another cloud provider that offers leading security standards and protocols for its customers.
HIPAA Compliance in the Cloud
In the end, health care providers have many options for HIPAA compliant cloud storage. Many individuals may mistakenly believe that health care organizations can’t take advantage of cloud technology and capabilities because of their security limitations. However, this is completely false.
But health care providers do have to keep in mind that having a cloud provider sign a BAA is not enough for HIPAA compliance. Providers have to configure their chosen cloud in a way that protects patient data and follows Privacy and Security Rules. Ultimately, the covered entity is responsible for making sure regulatory standards are being followed.
So, make sure you evaluate any cloud provider before transferring any PHI to the cloud. You don’t want to get stuck in violation of HIPAA because of a configuration mistake on your end. If you are a health care organization looking to make the move to the cloud, you can take our free assessment. We will help you determine the best route to the cloud, including how to keep all of your data protected.