How to Choose a HIPAA Compliant Cloud Storage

In healthcare, compliance with data regulation is a life-or-death matter. The misuse of patient data leads to ethical conflicts, compromises the reputation of the institution, and even impacts diagnosis and treatment. If you are building a healthcare solution or work in a health-related organization, you need to be especially careful about storage practices. 

This article will share our experience of selecting a HIPAA Cloud storage and talk about its compliance with the Health Insurance Portability and Accountability Act (HIPAA). We’ll see how existing providers adhere to official recommendations and examine typical risks.

What’s HIPAA?

It’s an act that protects health workers and patients, in particular their private data and electronic records. The act consists of five parts: 

• The first title protects health workers providing them insurance if they lose their jobs;
• The second title establishes national standards for electronic transactions for healthcare among providers, insurance companies, and employers;
• Title three species tax requirements for medical spending entities;
• The fourth title encompasses guidelines for public group health plans;
• Title five regulates insurances provided by companies to their employees. 

It’s a go-to document for all healthcare institutions and professionals. For data management purposes, organizations refer to the second title that specifies the rules of handling electronic records. 

Basic HIPAA Terminology

Electronic health record (EHR) is a digital record that is generated in a healthcare institution and describes medical history, treatment, laboratory results, demographics, personal information.

Health information: all kinds of data collected by healthcare provider, employer, and relates to patients’ medical history, health, demographics. 

HIPAA audit – the process of verifying a company’s compliance with HIPAA requirements. The company designates an example of a team to examine current policies and mechanisms of their enforcement. The audit checks communication within the healthcare company employees and patients, the regulations for storing electronic health records, and practices for crisis management. 

Basic ePHI System – a system responsible for creation, access, and management of ePHIs. A system can be used by a single user or by a group of people. 

Contingency Plan (CP) – a sequence of action that the organization team takes if the system was compromised. The contingency plan addresses critical resources and mechanisms for dealing with security breaches, organizational crises, and disasters. 

Requirements for HIPAA Compliant Cloud

HIPAA compliant storage must respond to specific requirements regarding patient records security and the enforcement of security policies. When choosing storage options for your healthcare platform, the first step to take is to examine HIPAA safeguards and integrate them into the architecture.  

Technical Safeguards

From the tech perspective, HIPAA compliance starts with a secure architecture. According to the official documentation and best practices, followed by leading healthcare institutions, we can summarize these criteria to the HIPAA compliance database in a list. 

• Secure transmission. A HIPAA-compliant system must ensure the safe easy to transmit patient records across multiple users within the organization. The system should prevent malicious attempts to access data and assure that everyone is acting in good faith. 
• Controlled access: a strict mechanism regulating data availability is a necessity in a healthcare platform. All users must know their access permissions, and designated authorities must be altered if those are breached. 
• System integrity: each HIPAA-compliant system should have a system for forbidding attempts to tamper with the data. The provider should have a policy for editing and deleting any patient and employee records – and enforce it with tech mechanisms. 

Technical safeguards describe the criteria for the software system. Software architects, developers, and security engineers should foresee possible threats, develop the most probable use cases. With HIPAA compliance, it’s important to avoid making hasty assumptions about user behavior and insights – if anything, it’s better to err on the cautious side. This is why achieving these safeguards requires a lot of analytical work, research, and competitor analysis. 

Physical Safeguards

Along with ensuring the security of the software, controlling hardware is just as important. By gaining control directly of the device, the cybercriminal might receive access to the digital platform and work with hard drive storage of patient data. Even if you are relying on the cloud for ePHI storage, protecting hardware is still a priority.

• Device protection: the organization of workstations across the institution should be complied with HIPAA and overseen by cybersecurity experts. Rooms where servers and PCs are stored should have their specific access rules. In case the protection is breached, the team should jump-start a contingency plan. 
• Facility access: data centers should be available only to authorized personnel.

Administrative Safeguards

Data administration is often a weaker link in HIPAA compliance. When you are considering storage, you should look at what administration management features the platform offers. So, we compiled a list of the crucial considerations. 

• Assessment: the HIPAA compliant cloud hosting provider should be opened about the extent of HIPAA compliance of the storage. The vendor should participate in consults and help you devise administration plans. 
• Staff management and training: the vendor should provide you with their knowledge base. If they worked with healthcare providers before, it’s likely that Cloud functionality is already explained in HIPAA terms. This is why we encourage our clients to cooperate with established storages with a long-standing legacy of HIPAA compliance. 
• Data access management: each organization creates a separate plan for data access and quality management. A vendor can get you started with official tutorials and documentation, but ultimately, your team should set up the workflow independently. A good place to start is holding a meeting with software developers and cybersecurity aspects and discussing the system’s potential vulnerabilities. No healthcare system is perfect – it’s important to know where the weak spots might be – and devise protection mechanisms for those.
• Predicting crisis and damage. Working together with a Cloud vendor, the team should examine common threats and develop a detailed workflow for each of them. 

The process of meeting administration HIPAA safeguards is twofold. On the one hand, the vendor team is responsible for onboarding your team with official documentation, tutorials, and best practices applicable specifically for their infrastructure. On the other hand, the team must adapt these materials to their architecture and workflows. 

Can HIPAA Data be Stored in the Cloud?

According to the official HIPAA guidelines, healthcare institutions can use HIPAA compliant Cloud storage for ePHI processing. As long as you ensure that your chosen vendor has complied with HIPAA, there will be no legal issues. 

Requirements for Collaboration with a Cloud Provider

1. The Cloud Service Provider (CSP) should provide a possibility to conduct risk analysis and establish independent risk management policies. In other words, it should be open to security audits and collaboration, in particular to information exchange. 
2. Both participants vouch for taking responsibility for the integrity and security of created and stored ePHI. These conditions are usually signed in a specific agreement. If there’s no such documentation, the Cloud provider might choose to decline responsibility for data integrity – and this practice jeopardizes the company during a safety crisis. 
3. A HIPAA-compliant Service Level Agreement should state the conditions for ensuring system availability, data backup practices, ways to return data to the customer after the cooperation was over, ways to transfer information, and responsible entities for maintaining security. 
4. Even if the Cloud companies store only encrypted files and don’t possess the decryption fee, they are still responsible for adhering to HIPAA. If there’s a security breach., the team will be responsible together with the healthcare institution. 
5. Encryption alone isn’t considered to be a stable protection measure, according to HIPAA. For one, it doesn’t ensure the integrity of the data – even an encrypted file might be corrupted by malware or get to unauthorized individuals. 
6. All collaboration between a healthcare institution and a Cloud vendor should be no-view – the provider has no insight into health records. 

However, even when an organization chooses a Cloud vendor, the team can’t shift the responsibility for data safety. The majority of contractual agreements contain two-fold guarantees – both a vendor and institution should adhere to strict security practices. If a healthcare organization fails to do so, the responsibility of the breach will be fully allocated to the team. 

Best HIPAA Compatible Cloud Vendors

There’s no HIPAA-compliance certifications for Cloud vendors. The only way to prove the reliability of a vendor is by verifying reviews, scientific publications and referring to vendors’ official resources. As an enterprise development team, we often connect our clients to reliable Cloud vendors – so here’s our take on the most reliable providers. 

AWS Cloud

AWS official documentation guarantees the full compatibility of the service with HIPAA and other healthcare data security regulations. To implement HIPAA-required settings, users can deploy Quick Start – a feature that deploys a safe, HIPAA-compatible environment. 

• You get ready architecture maps that provide data structure and explained information management processes.
• Quick Start features CloudFormation Templates that offer the structured framework for all AWS resources. 
• AWS infrastructure is regulated by strict security standards, and customers have real-time updates on security controls. 

Dropbox

Dropbox Business complies with HIPAA requirements and offers legal documentation for extending Cloud security. US-based clients can sign a business associate agreement, assuring terms for HIPAA-compliant cooperation and extending guarantees. 

Is Dropbox HIPAA compliant? Yes, Dropbox Business functionality allows healthcare entities to: 

• Configure sharing permissions: functionality includes strict access filters and a flexible permission control system.
• Permanent deletions: Dropbox provides a possibility to indefinitely delete all health records.
• Monitoring account activity: business get real-time updates on their security controls.
• Safe third-party integrations: if the healthcare institution wants to integrate another service (a SaaS, for instance), Dropbox provides tools for verifying its safety compliance. 

Google Cloud

Google Cloud is highly compatible with HIPAA agreements – the vendor offers rich additional functionality for managing electronic health records and provides detailed guidance for establishing security best practices. In particular, the list of available services includes Access management features, AI platform, natural language processing, and translation features, Cloud Tasks, video catalog, and others. 

To sign a Business Associate Agreement, the healthcare organization should demonstrate its willingness to implement the recommended security practices:

• IAM security: the healthcare team takes full responsibility for viewing and managing the data. The vendor doesn’t interact with health records. 
• Setting up encryption: Google Cloud presumes that business associates should cooperate if they already have an encryption system set up on their side. To avoid encryption jeopardy, as most Cloud vendors, Google Cloud doesn’t encrypt data on its side. 
• Review audit logs. Google Cloud will provide the team with security logs, and your team should regularly review them. The terms are specified in the agreement. 
• Metadata management practices: files’ descriptions and titles should not feature any personal data from the records themselves. 

Microsoft OneDrive

Microsoft One Drive is compatible with HIPAA regulations and allows the signing Business Associate Agreement to all its customers who fall under HIPAA. However, the contract will not be personalized. It’s up to the healthcare company to create internal documentation for securing data – since Microsoft uses a standard agreement form for all cases.

The entire OneDrive is HIPAA compliant; however, the vendor doesn’t offer elaborate templates for creating increasingly safe infrastructure. Users only store Microsoft Cloud services to store data, taking full responsibility for its safety and integrity.

Microsoft helps to implement HIPAA compliance by offering detailed official guides. 

• Implementation guide for Azure, Dynamics, and Office 365 HIPAA compliance. This guide describes a step-by-step process of establishing a security data architecture and ensuring HIPAA’s compliance specifically within Microsoft’s ecosystem. 
• Practical guide to designing healthcare systems with Azure. If you are building a healthcare solution, you may want to refer to this document before devising information architecture. The document gives practical guidance on handling healthcare information during system development and usage. 
• HIPAA Security and Privacy Requirements in Microsoft Cloud: the full overview of Office 365 HIPAA compliance and best practices for meeting them. 

Carbonite

Cloud platform, emphasizing efficient data backup and data loss protection, is among the most affordable HIPAA-compliant Cloud solutions. The platform is often used by small healthcare businesses and platforms. This HIPAA compliant cloud backup ecosystem isn’t as versatile as in Amazon’s, Google’s, or Microsoft’s Cloud, making it just right for smaller businesses. 

The responsibility for setting up a secure workflow lies on the healthcare institution, however, the Carbonite team provides additional tools and guarantees: 

• Backup and Disaster Recovery: efficient contingency plans and data recovery systems are a cornerstone of HIPAA compliance. Carbonite has a simple algorithm for automating data backups and recovering records after virus attack, server failure, removal, or disaster. 
• All backed-up files are encrypted. To access encryption on Carbonite’s site, users should upgrade their plans to Backup Pro and Safe Server Backup features. 
• Compatibility with other strict data regulation. Along with HIPAA, the software is also compatible with the Massachusetts Data Security Compliance – one of the strictest data privacy acts out there. 

What to Do Now: Starting a HIPAA-Compliant Cooperation

1. Sign the Business Associate Agreement with the vendor. The agreement holds the Cloud service accountable for the breach. 
2. Determine the access permissions for the cloud vendor. It’s best to opt for no-show collaboration and reserve all the administering work to your team. It also means you’ll have to put in more work in securing the infrastructure but grants independence in the long run. 
3. Assess vendor’s compliance on your own. Research which healthcare institutions are working with your vendor of choice and research risks and past breaches. 
4. Communicate with your business associate’s security experts. Your vendor should be open to make recommendations to help you set up HIPAA-compliant practices. 
5. Make sure the vendor onboards you with detailed guides and policies for using a HIPAA compliant database. Their vision of security shouldn’t conflict with your organization’s practices. 
6. Check their HIPAA training. How are their teams trained to work under HIPAA regulations? Who is on the team responsible for handling healthcare corporations? 
7. Verify your vendor’s security protections. Their servers should be located in well-protected countries, under constant surveillance. Physical servers and hardware should correspond to the latest security standards. 
8. Check their contingency plan. Ask the vendor to present you with a detailed course of action for every type of security threat. 
9. Make sure that your vendor is financially stable, has no prior history of power outages and information deletion. 
10. Each agreement must have a clause that describes the conditions for terminating the cooperation and retrieving your data. 

Conclusion

Using Cloud to store healthcare data has a lot of advantages. Mainly, it allows the team to shift the portion of responsibility for the Cloud service provider. Efficiently, the institution only becomes responsible for few devices and doesn’t have to maintain its own server space. As a result, the responsibility area shrinks, as do potential risks and subsequent reputational damage. 

However, choosing the right vendor is a long-term investment that defines the safety of your organization. Unfortunately, not all providers are equally transparent about their HIPAA compliance practices. Similarly, not all providers have personalized onboarding programs for their HIPAA data storage. You will be managing data creation and administration on your own – even after acquiring expensive plans. 

To minimize the expenses and increase the yield, we recommend careful research of Cloud vendors. For some institutions. Well-established infrastructures like AWS or Google Cloud will be the best bet, while for smaller businesses, the financial commitment might be difficult to bear. So, you need to assess your organization’s needs and budget – and find vendors whose offers align with these requirements. 

If you already have a vendor in mind, our team can help you prepare the business associate agreement and create a HIPAA-compliant data structure. If you are still deciding, our Cloud development team and data security experts can contribute their expertise to the discussion and help you choose the best partner.