What Are the Requirements for HIPAA Cloud Storage?
Recently organizations have started depending more and more on cloud services and SaaS solutions to perform typical business operations. Organizations use cloud storage to manage files and collaborate between staff. Health and Human Services (HHS) has provided guidance on HIPAA compliance and cloud computing. In their guidance, HHS has stated that organization’s may use cloud services in a HIPAA compliant manner if they have a signed Business Associates Agreement (BAA) in place with the cloud platform/vendor. This BAA dictates requirements between the vendor and the client and designates which vendor services can be used in a HIPAA compliant manner.
Below is a 2020 updated list of cloud storage solutions that offer HIPAA covered services:
Top 5 HIPAA Compliant Cloud Storage Solutions:
Amazon S3 is Amazon Web Services’ cloud service for Object storage. S3 allows organizations to upload files, select storage types, set access roles, and manage backup, encryption, and file versioning. Users can define a lifecycle alongside Amazon Glacier for how data is retained and managed. Amazon S3 offers a large amount of configuration but is definitely one of the most technical solution on this list.
Amazon Web Services offers a BAA covering a number of services. Organizations can utilize AWS HIPAA eligible services, as well as Amazon S3 to store PHI and build applications. Learn about best practices for managing HIPAA with Amazon S3.
Drive is Google’s cloud storage solution. Drive is included in Google’s G Suite and makes it easy for organizations to upload, share, and collaborate on files. Desktop and mobile applications make it simple for staff to automatically sync files to the cloud and access them across multiple devices.
Google offers a BAA that covers G Suite services including Docs, Sheets, Gmail, and Drive. Organization’s can use Google Drive along with other G Suite covered services in order to collaborate within teams. Google Vault can be used alongside Drive for document retention, archiving, and audit logging purposes.
Box is an enterprise cloud storage platform for uploading, syncing, sharing, and managing files. Box has a number of security programs including HIPAA and offers a number of services targeted at healthcare organizations.
Box offers a Business Associate Agreement (BAA) to clients with an Enterprise or Elite account. Box handles data encryption, system access controls, and provides configurable administrative controls to the client.
Dropbox is a long-established consumer cloud storage provider, that offers a number of business solutions for cloud storage. Dropbox allows teams to upload, sync and managing files easily using their platform.
Dropbox offers a BAA that covers Dropbox Business customers Dropbox Showcase is not covered under this agreement and organizations must individually evaluate 3rd Party apps and integrations being used with PHI. The Dropbox platform allows configuration of user access permissions, file retention, account logging and monitoring by the client.
OneDrive is Microsoft’s cloud storage option provided as part of Office 365. Often included with other Microsoft software, OneDrive is part of Microsoft’s Office Online Services and integrates with a number of Office 365 tools.
Microsoft offers a BAA that covers services including OneDrive for Business, Office 365, Dynamics 365, Azure and Azure Government.
Your HIPAA Requirements Outside of Vendor BAAs
Using vendors with Business Associate Agreements (BAAs), does not automatically make an organization HIPAA compliant. HIPAA requirements are typically handled through a shared responsibility model. This means that there are security responsibilities for both the cloud vendor and the client.
Organizations must implement a set of HIPAA administrative policies and set proper technical controls. For policies, teams must conduct annual risk assessments, provide employee training, and set standard operating procedures for backup and recovery, availability and more. Organizations must also implement necessary technical safeguards including selecting solutions for audit logging, backup, and vulnerability scanning. All of the services listed above can be utilized in a HIPAA compliant manner, but it is up to the covered entity to maintain a proper security program in order to stay compliant.