There is no doubt that data storage in the cloud has many benefits for healthcare organizations; however, if electronic protected health information (ePHI) is to be stored in the cloud, it is necessary to use a HIPAA compliant cloud drive – a HIPAA compliant cloud storage solution from a cloud service provider (CSP).
HIPAA and Cloud Computing
The Health Insurance Portability and Accountability Act was enacted just as the use of virtual computers started to gain popularity in the 1990s; however, it was not until the early 2000s that cloud computing really took off, although healthcare organizations were slow to embrace the cloud. The situation is very different today. According to Market Data Forecast, in 2022 the healthcare cloud computing market was worth $5.22 billion and it is expected to reach $201.1 billion by 2032. 90% of healthcare organizations are already using cloud-based services or plan to use them by 2025.
Even though cloud computing services have now been widely adopted by healthcare organizations, there is no mention of cloud computing in the HIPAA text. HIPAA was written in a way to ensure that it is technology agnostic to ensure that when new technologies were introduced, the HIPAA Rules could be easily applied to those technologies. Cloud services can be used by HIPAA-regulated entities, as long as they are fully compliant with the HIPAA Privacy and Security Rules. Healthcare organizations that have yet to transition to the cloud may be unaware what a HIPAA compliant cloud drive is, how HIPAA compliant cloud storage differs from other cloud storage services, and how they can ensure HIPAA compliance in the cloud, all of which are explained below.
What is a HIPAA Compliant Cloud Drive?
Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is applied to secure ePHI in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, ePHI could easily be exposed over the Internet, thus violating the HIPAA Rules.
That said, many CSPs offer HIPAA compliant cloud storage to HIPAA-regulated entities. What this means is the service they offer incorporates all of the necessary security controls to ensure the confidentiality, integrity, and availability of ePHI and prevent impermissible disclosures. Those controls apply to ePHI at rest (stored on cloud servers) and in motion to and from the cloud server or service. Access controls can be configured to restrict access to ePHI to ensure only authorized individuals can view, alter, or transmit data, and audit logs are maintained of successful and unsuccessful access attempts and any alterations to ePHI.
A HIPAA compliant cloud service provider will ensure that safeguards are incorporated into the platform to ensure that it can be used in a HIPAA-compliant way; however, it is up to each HIPAA-regulated entity to ensure that the controls are correctly configured and the service is used in a manner that is compliant with the HIPAA Privacy and Security Rules.
A Business Associate Agreement Must be Obtained from a Cloud Service Provider
If a HIPAA-regulated entity engages the services of any vendor to create, receive, maintain, or transmit ePHI on their behalf, that vendor is classed as a business associate under HIPAA. If cloud services are used in connection with any ePHI, including the processing and storage of ePHI in the cloud, the CSP is a business associate and has responsibilities under HIPAA, even if the CSP only stores encrypted ePHI and does not hold an encryption key for the data. Any subcontractors used by the CSP are also business associates of the CSP and must also comply with certain requirements of the HIPAA Rules.
HIPAA-regulated entities must obtain a HIPAA compliant business associate agreement from the CSP before any HIPAA-covered data is uploaded to the cloud, and a CSP must obtain a HIPAA compliant business associate agreement from any third-party vendor before allowing them access to a HIPAA-regulated entity’s environment. The CSP and any subcontractors used are contractually liable for meeting the terms of the business associate agreement and are directly liable for compliance with the applicable requirements of the HIPAA Rules. If a CSP is not prepared to sign a business associate agreement, their services must not be used in connection with any ePHI.
In addition to a business associate agreement (BAA), many covered entities address other requirements through a service-level agreement (SLA). The BAA outlines the responsibilities of the CSP with respect to HIPAA, while the SLA deals with technical aspects such as availability and reliability of the service, data backups and recovery, the security responsibilities of each party, and how any stored data will be returned when the service is no longer used.
HIPAA Compliant Cloud Storage Requires More than a BAA!
Covered entities must obtain a BAA prior to any cloud service being used in conjunction with ePHI, but having a BAA is not sufficient to avoid a penalty for noncompliance with HIPAA Rules. Before any cloud service is used, covered entities must conduct a comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and must subject any identified risks to a risk management process to reduce them to a low and acceptable level. Policies and procedures must be developed and implemented covering the use of the cloud service, and training must be provided to the workforce on the HIPAA-compliant use of cloud services.
Access controls must be configured correctly to ensure that only authorized individuals are able to access cloud-stored data. Even though a HIPAA compliant cloud drive may meet the requirements of the HIPAA Security Rule, covered entities must ensure they are fully compliant with the requirements of the HIPAA Privacy Rule. Covered entities should apply single sign-on controls, use multifactor authentication, automatic logoff controls, and secure passwords, and procedures should be developed to ensure ePHI is available in emergencies.
Audit controls are required to ensure all activities in relation to ePHI are recorded. HIPAA-regulated entities are required to conduct regular checks of logs to monitor for unauthorized activity and regulators may require access to those logs in the event of an audit or compliance investigation. Any data stored in the cloud should be encrypted and covered entities must ensure data uploaded to the cloud is encrypted in transit. The encryption algorithms used should meet the standards of the National Institute of Standards and Technology (NIST).
What Cloud Storage is HIPAA Compliant?
Many CSPs offer HIPAA compliant cloud storage and file-sharing services and are willing to sign BAAs with HIPAA-regulated entities. Sync is one of the current market leaders and is used by many healthcare providers for storing files in the cloud and private and secure file sharing, including Mount Sinai Hospital, Doctorcare, Equalize Health, and the Canadian Red Cross. The platform allows mission-critical files to be accessed easily by authorized individuals from any computer, mobile device, or the web, no matter where care is provided. Sync signs business associates with HIPAA-regulated entities and supports HIPAA compliance, PIPEDA compliance for Canadian healthcare companies, GDPR compliance for European healthcare providers, and other privacy and security regulations. The platform integrates with Microsoft Office 365, Windows and macOS desktops, and mobile devices, and all data is protected with strong encryption, robust access controls, and state-of-the-art security.
Many cloud service providers offer a variety of plans to meet the needs of individuals and businesses; however, not all plans are covered by business associate agreements. For example, Sync offers a HIPAA compliant cloud drive and will sign a BAA, but only for the Sync Professional and Teams Plans. HIPAA-regulated entities must sign up for a Professional or Business Plan and obtain a signed BAA before the service is used.
While there is no mention of HIPAA cloud storage and cloud computing in the HIPAA text, healthcare organizations can engage the services of CSPs and use their platforms to reduce costs, improve productivity, and connect and communicate more easily, provided they use HIPAA-compliant cloud services and obtain a BAA from the CSP. You can find out more about HIPAA cloud storage from the HHS, which recently published guidance for HIPAA-regulated entities on HIPAA compliant data storage in the cloud and the use of other cloud services in connection with ePHI.
The post What is a HIPAA Compliant Cloud Drive? appeared first on HIPAA Journal.