Introduction to HIPAA Compliant Cloud StorageUsing the cloud for storing files, requires HIPAA compliant cloud storage. The establishment of the HIPAA in 1996, and the subsequent establishment of the HITECH Act in 2009, requires healthcare providers to implement particular safeguards with respect to the protection of electronic HIPAA Compliant Hosting Providers (HCHPs) to maintain and disseminate their healthcare data and information. The choice of HCHPs is as varied as the types of services that they provide. Some HCHPs process healthcare data and information on managed servers while others take advantage of cloud servers. Cloud computing is a relatively new concept for data storage and manipulation that provides for easy access to data that is synchronized for multiple devices. This type of easy access to synchronized data offers challenges for HCHPs who claim to be HIPAA compliant.
The HIPAA requires all business associates (BAs) of health care providers, including HCHPs, to provide signature to a BAA) that stipulates that they will abide by the rules and standards governing the HIPAA. Further, the HIPAA requires that all aspects of
HIPAA Compliant Cloud Storage Explained
There are questions as to whether HIPAA Compliant Cloud Storage providers are able to protect and secure data as required per the HIPAA regulations. Since 2009, the Department of Health and Human Services (HHS), the governing body for the HIPAA, lists breaches of healthcare information when breaches affect more than 500 individuals. As of 2011, the most common breaches listed (63%) resulted from physical theft and the loss of physical items. In most instances, the compromise was due to negligence or theft of persons in the heath care industry. Paper records and portable devices, such as hard drives, removable drives and laptops were the most vulnerable to breach. Since cloud computing eliminates the need to store health information on such devices, many argue that HIPAA Cloud Storage may be a safe alternative to on-premise data storage.
Preliminary Indications of Sources of Breach
Using the data from 2011, the HHS created seven categories of breach for electronic medical records (EMRs), and each of the seven categories involved breaches of systems that were on-premise, such as with lost hard drives or hard drives stolen from employees. While most breaches were due to negligence, that is one area of vulnerability that maybe overcome by HIPAA training and certification programs. It was not clear what percentage of breached healthcare providers used cloud storage methods, but the types of physical devices that were identified as most vulnerable to compromise are not necessary for HIPAA Cloud Storage. Cloud storage implies that data is stored on servers and accessed through the Internet. The 2011 data shows that 16% of all breaches were due to unauthorized access or disclosure and only 6% was due to hacking or otherwise manipulating software and servers. Certainly as more healthcare companies move data storage to the cloud, more breaches are possible.
Look Beyond Advertisements and BAAs
Since covered entities (CEs) have the responsibility to protect and secure health information whether they implement their own system or outsource health data processing, CEs must assess how well a chosen provider meets compliance requirements. In addition to implementing methods to protect and secure information, the HIPAA requires CEs to document methods put in place and to provide rationale for adapting the particular methods. CEs should outsource to providers who advertise to be HIPAA Compliant Cloud Storage providers and also those that are willing to provide signature to a required HIPAA Business Associate Agreement (BAA). Even then, the responsibility falls upon a CE to engage some method of risk analysis to ensure that a chosen cloud storage provider is compliant with all of the requirements of HIPAA. CEs should establish a checklist of requirements that they may seek of providers.
Challenges of Implementing Risk Analyses
In cases where a chosen provider advertises to have implemented a system of risk analysis to address the requirements, a covered entity cannot rely solely upon that advertisement. A CE must provide documentation relative to his or her particular use of the data, which means knowing more about a provider’s HIPAA Cloud Storage than most cloud storage providers are willing to disclose. For example, the encryption of data has been identified as a best practice and most HIPAA Compliant Cloud Storage providers will have an encryption method in place, but CEs may not be able to document the type of encryption being used if it is the cloud storage provider’s proprietary information. As such, CEs may need to devise a method of encryption that is compatible with their cloud storage provider’s encryption methods. The auditing of access and attempted access to outsourced data storage is another area of concern when it comes to the documentation of practices. CEs will have to ensure that these types of issues are resolved and that a viable solution is as outlined in a BAA.
If you would like to know more about using Dropbox for HIPAA compliant cloud storage, please read our blog article: Maintaining HIPAA Compliant Cloud Storage
>> To help you in your search I compiled a list of reliable HIPAA compliant cloud storage providers:
Recommended HIPAA Compliant Cloud Storage Providers
We are constantly adding new articles on HIPAA compliant cloud storage and related services on our blog. Our current posts on HIPAA cloud storage are: