HIPAA compliant cloud storage is contingent on several aspects. To use a cloud storage and be HIPAA compliant, it is important to ensure that the cloud service provider (CSP) has sufficient safeguards to secure the protected health information (PHI) that is transmitted, stored, or maintained on behalf of their covered entity (CE) client. Additionally, they must be willing to sign a HIPAA business associate agreement (BAA).
Security Measures for HIPAA Compliant Cloud Storage
Cloud service providers must have certain measures in place to secure PHI and track access to PHI. These include the following:
- Access controls: each person with the ability to access data stored by the CSP must have unique login credentials. The HIPAA minimum necessary standard requires access to PHI to be limited, so that it is only accessed for a specific purpose. Utilizing unique logins allows organizations to designate different levels of access to PHI based on an employee’s job function.
- Audit logs: unique login credentials also allows audit logs to be created. Audit logs establish normal access patterns for each employee (what information they access, how frequently they access it, and for how long). Being aware of each employee’s access patterns is the key to detecting insider breaches.
- Encryption: HIPAA compliant cloud storage platforms should utilize end-to-end encryption (E2EE). E2EE is a means of protecting sensitive data by converting data into code that can only be read with a decryption key. E2EE is the best way to prevent unauthorized access to PHI.
- Data backup:HIPAA requires healthcare organizations, and their business associates, to backup patient data. Data backup ensures that organizations that experience a breach, or natural disaster, are able to quickly restore data.
Signing a Business Associate Agreement
A key component when looking for a HIPAA compliant cloud storage provider is the willingness to sign a business associate agreement (BAA). BAAs must be signed with each business associate before any PHI can be created, stored, maintained, or transmitted on the behalf of a covered entity. However, even with a signed BAA, it is up to the user to configure the cloud platform to be used as a HIPAA compliant cloud storage provider.