What is HIPAA Compliant Cloud Hosting?

Storing your data in the cloud offers both convenience and security. But if your organization works with protected health information, you must choose your cloud service provider carefully as it must be HIPAA compliant. To provide guidance on how to choose the right cloud provider, HIPAA compliant cloud hosting is discussed.

HIPAA Compliant Cloud Hosting: Data Access

HIPAA requires employees to only have access to the protected health information (PHI) that they need to perform their job, known as the minimum necessary standard. Under HIPAA, data must also be readily available to users that need access, and must remain confidential.

For HIPAA compliant cloud hosting, the following measures must be enabled for data access: 

User Authentication. To ensure that users are who they appear to be, user authentication is a must. Your cloud service provider (CSP) should give you the ability to provide unique login credentials for each of your employees. In addition, multi-factor authentication (MFA) should be provided. MFA requires employees to utilize multiple unique login credentials to access a platform, such as a username and password in combination with security questions, one-time PIN, or biometrics.

Access Management. For HIPAA compliant cloud hosting, the provider should enable you to designate different levels of access to data based on an employee’s job role.

Audit Logs. To ensure adherence to the minimum necessary standard, it is important to track and log access to data. HIPAA cloud hosting should allow users to do so.

Reliability, Accessibility, and Ownership. Electronic Health Records (EHRs) have become the industry standard, requiring the system hosting PHI to be reliable and easily accessible. This makes a CSPs uptime score extremely important. An uptime score is generally calculated as a percentage, and refers to how good a provider is at keeping their systems functional. Additionally, should you choose to end your business relationship with your cloud hosting provider, they must give you the ability to easily extract your data.

HIPAA Compliant Cloud Hosting: Security Requirements

An important part of determining which cloud service provider is right for you is assessing the security features that they offer. HIPAA compliant cloud hosting requires safeguards to be in place to ensure the confidentiality, integrity, and availability of PHI.

Gerry Miller, cloud industry veteran, states, “The cloud is more secure than your data center, because these cloud providers offer security for millions of consumers, so they’re better at it than a hospital CIO can be.”

Security features to look for for HIPAA cloud hosting include:

Encryption. The best way to protect your sensitive data is through encryption. Encryption masks data allowing only users possessing a decryption key to access the information. A HIPAA compliant cloud hosting provider offers encryption for accessing, sending, receiving, and storing data. There are two methods of encryption used to accomplish this. For a secure connection for accessing data, it is essential that a virtual private network (VPN) is used by your cloud provider. A VPN creates a secure connection before data is accessed to prevent unauthorized users from viewing data. Additionally, end-to-end encryption (E2EE) ensures that data in transit (data being sent/received) and data at rest (data being stored) is secure.

Firewall. To provide an additional layer of protection, it is essential that a firewall is used. A strong firewall will include an intrusion prevention system which prevents unauthorized users from accessing your data.

Data Backup. An important requirement for HIPAA compliant cloud hosting is data backup. Should you or your cloud service provider experience a breach or natural disaster that compromises your data, it is essential to have an offsite data backup. Offsite data backups prevent you from losing your patient files and other business critical data should the original copies be destroyed or compromised.

HIPAA Compliant Cloud Hosting: Business Associate Agreements

HIPAA cloud hosting requires the cloud service provider to sign a business associate agreement (BAA). Providers that are unwilling or unable to sign a BAA cannot be used for HIPAA compliant cloud hosting. But what is a BAA? A BAA is a legal document that dictates the security measures that a business associate, in this case the cloud service provider, is required to have in place. It also requires each of the signing parties to agree to be responsible for maintaining their HIPAA compliance.

For more information on HIPAA compliant cloud hosting, please reference the HHS website.