HIPAA Compliant Cloud Storage: How to Pick the Right Solution

What’s Your HIPAA Responsibility

Did you know that if you store ePHI, even if its encrypted, and EVEN if you don’t ever hold the keys, you are STILL a Business Associate under HIPAA? 

The HHS released guidance on this because so many business associates don’t think they need to comply with HIPAA, “When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.” Read more of the guidance here.

When you service the healthcare vertical, you must meet certain HIPAA standards. Along with ensuring the CSP you choose to manage your client’s data is HIPAA compliant, you must also take the steps necessary to be HIPAA compliant. You, yourself, must ensure the confidentiality, integrity, and availability of PHI. To do so, you must implement administrative, technical, and physical safeguards. You must also sign a business associate agreement with each of your healthcare clients, and ensure that your clients have signed BAAs with the CSP and other tools used to manage their account.

HIPAA and Cloud Storage: Choosing a Vendor 

When choosing which vendor is right for your healthcare clients, it is important to understand what HIPAA requires from cloud storage solutions. 

Confidentiality

HIPAA compliant cloud storage providers must have measures in place to ensure the confidentiality of patient data stored in their servers. All ePHI on cloud storage needs to be encrypted to prevent hacking incidents. Multi-factor user authentication and role-based access are also key to preventing unauthorized or improper data access.

Integrity 

To prevent patient data from being improperly altered, cloud storage solutions should enable baselining and hashing algorithms, and ensure that platform is configured for HIPAA compliance. Various methodologies help ensure data integrity in cloud storage, including high-availability and integrity layer (HAIL) and provable data possession (PDP). There are also several cloud security management solutions that continuously monitor the current state of cloud data compared to the last known good data state, and notify admins of any mismatch there may be.

Readily Available Patient Health Records

Part of HIPAA compliance requires healthcare organizations to maintain exact retrievable copies of patient records in an offsite storage facility. No, backing up to an external hard drive and taking it to your house at night doesn’t count! HIPAA requires that you back up your data offsite, and you need to be able to PROVE you can retrieve an exact copy of all ePHI in the case of a disaster or attack, which, as you probably know, is best done through the cloud. 

This actually leads to one of the more serious mistakes businesses make when working with cloud service providers – they assume that because it’s in the cloud, it’s automatically backed up. Unfortunately, this is NOT the case. For example, two of the largest and most commonly used cloud vendors (Microsoft and Google), both make clear in their Customer Agreement that your data is NOT backed up in their cloud. Microsoft even goes so far as to recommend that you use a third party to back up all data in their cloud. HIPAA compliant cloud backup is essential to incident management and implementing a successful disaster recovery plan. 

Privacy and Security of PHI

HIPAA cloud requirements are the same as if it were a traditional data center. This means that end-to-end encryption is a must. Additionally, data access must be traceable. With this said, many CSPs have taken the necessary steps to encrypt data in accordance with HIPAA law. However, not all cover the full regulation. Therefore, it is your responsibility as your client’s trusted advisor to know if the CSP has met all security requirements, or if you need to take additional measures to protect your clients’ data. Does the CSP offer MFA? Can role based access controls be implemented? Are there audit trails? 

Accessibility and Ownership of Data

The HIPAA Privacy Rule dictates that healthcare organizations have access to their data. This is particularly important when a client ceases to use the provider. HIPAA compliant CSPs are required to allow healthcare clients to extract their data at the end of service. 

Business Associate Agreements

When storing or maintaining PHI, CSPs are considered business associates under HIPAA. Consequently, healthcare organizations need to have business associate agreements (BAAs) in place with CSPs before they can use their service. The obligation of getting these signed BAAs will fall to you. It is important to note that even if a cloud provider meets all necessary security requirements, it is not HIPAA compliant if the provider will not sign a BAA.

Some provisions you should look for in a cloud storage solution’s BAA include:

• Secure data transmission and storage
• Controlled data access
• Access logging in reference to your healthcare client’s information

Examples of HIPAA Compliant Cloud Storage Solutions

1. Axcient
2. Redstore
3. NovaBackup
4. Microsoft Azure
5. Acronis Cyber Cloud