Storing medical information in the cloud isn’t as easy as a quick upload. Federal laws dictate how companies can and must handle patient data, regardless of whether it’s sitting in storage or actively in use. Although they are designed to protect consumers and companies alike, HIPAA rules are incredibly complex, which makes it difficult to find a compliant cloud storage solution. Let’s look at what companies that handle protected health information need to know about complying with HIPAA before diving into a list of the five best HIPAA compliant cloud storage solutions on the market today.
Jump to a section…
Ensure your data and network are HIPAA compliant with HIPAA Cloud Storage Requirements: The Essential Guide.
What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law designed to protect sensitive medical information from being disclosed without the patient’s knowledge or consent. Its four primary rule groups govern privacy, security, breach notification, and enforcement in an effort to keep Protected Health Information (PHI) as secure as possible wherever it exists.
Since HIPAA was first signed into law, the landscape of tech has evolved considerably. Regulatory updates like 2009’s HITECH (Health Information Technology for Economic and Clinical Health) Rule and the HIPAA Omnibus Rule of 2013 seek to amend the legislation in order to keep pace not only with new and emerging cybersecurity concerns but also with nationwide changes to consumer rights regarding the use of technology.
What Makes a Cloud Data Storage Solution HIPAA Compliant?
Any company or organization that handles PHI is legally required to do so in a HIPAA-compliant manner. When it comes to cloud services, that means seeking out platforms with all the appropriate HIPAA-compliant privacy and security protocols in place. But at the end of the day, it’s technically not possible for a tech platform to be HIPAA-compliant; compliance depends entirely on how the company implements, manages, and uses its tech tools.
That’s why most of the companies on this list of the five best HIPAA-compliant cloud storage solutions promote themselves as “in support of” HIPAA compliance. This linguistic turn allows tech companies to advertise their adherence to regulatory measures without claiming that using their solutions guarantees compliance. As with all tech, it’s what you do with it that matters.
With that said, being in support of HIPAA compliance does require the inclusion of some pretty cut-and-dry protocols. Data classification, encryption, two-factor authentication, audit trails, access monitoring, and administrative controls are all par for the course. On top of implementing those protocols in their tech, cloud storage solutions must also issue Business Associate Agreements (BAAs) in order to be considered in compliance. BAAs govern the nature of the relationship between the cloud storage provider and the user; to be compliant the BAA must be in place before any PHI is uploaded, stored, or used.
All of these various elements must be in place for a cloud storage solution to be considered HIPAA compliant. For example, is iCloud HIPAA compliant? Even though Apple’s standard security protocols (like authentication, encryption, and access controls) satisfy HIPAA security requirements, Apple is not and cannot be a HIPAA-compliant cloud storage solution because it will not issue its users BAAs.
5 of the Best HIPAA Compliant Cloud Storage Solutions
Is Box HIPAA compliant? Box supports HIPAA compliance.
Box is a secure cloud storage and file sharing solution that promotes itself as compliant with HIPAA, HITECH, and the HIPAA Omnibus Rule. One of the main reasons healthcare companies choose Box is that it allows for secure viewing of medical files saved in the DICOM format, which stands for Digital Imaging and Communications in Medicine. These include x-rays, ultrasound images, and CT scans — all documents that providers need to be able to access easily and safely while providing medical care.
For added peace of mind, third-party auditors have evaluated Box’s protocols to ensure they are thoroughly HIPAA compliant. Box’s specifically HIPAA-compliant features include: data encryption; physical and system access restrictions; account activity reporting and audit trails; employee security training; and disaster mitigation through mirrored, active-active data center facilities. While Box integrates with popular applications like Google, Salesforce, and Jotform, it’s critical that healthcare companies configure Box and all third-party apps in a HIPAA-compliant manner.
Is Carbonite HIPAA compliant? Carbonite supports HIPAA compliance.
Carbonite has been around since 2005, so it has had plenty of time to become one of the leading cloud storage solutions that supports HIPAA compliance. The compliance measures in place at Carbonite extend from the data center (certified Microsoft Azure data centers meet Tier 4 rating requirements and are HIPAA and HITECH compliant) to the cloud, with security features like 256-bit AES encryption for data at rest, Transport Layer Security for data in transit, global data deduplication, and multiple encryption keys across data sets.
Carbonite is also focused on maintaining compliance through the many ways humans interact with PHI and medical data stored in the cloud. Security features that protect against human error include:
- Encryption remains transparent to employees: eliminates potential risk vectors created through additional passwords.
- Read and write access controls: prevent employees from copying PHI to thumb drives, CDs, etc. without authorization.
- Port lockdowns: Create policies that lock down a port completely if any unauthorized user attempts to copy or remove protected files.
Is Dropbox HIPAA compliant? Dropbox supports HIPAA compliance.
Dropbox’s materials make clear that while it supports HIPAA compliance, it is ultimately up to the user to implement any platform or application in a compliant manner. Signing up for a business account with Dropbox will give customers access to the necessary BAA, along with other HIPAA-related security recommendations like configuring sharing permissions, disabling permanent deletions, monitoring account access and activity, and understanding the role of third-party applications while working with Dropbox.
Any healthcare companies considering Dropbox as their HIPAA-compliant cloud storage solution can request the third-party report assuring Dropbox’s internal measures and controls in accordance with HIPAA/HITECH security, privacy, and breach notification rules.
Is Google Cloud HIPAA compliant? Google Cloud supports HIPAA compliance.
Google Cloud issues its customers BAAs, and any user can view a slew of annual third-party audits and certificates including SSAE16/ISAE 3402 Type II, ISO 27001, ISO 27017, ISO 27018, FedRAMP ATO, and PCI DSS v3.2.1. In addition to its own protocols, Google Cloud recommends all HIPAA-concerned users follow best practices regarding identity and access management, encryption, version and access controls, audit logs, etc.
The entire G Suite — including Google Drive — is considered a HIPAA-compliant service, although as with all cloud storage solutions it needs to be configured correctly to be truly HIPAA compliant. Paying Google users can receive BAAs that cover Google Drive apps like Docs, Sheets, Slides, and Forms. The BAA must be in place before any PHI is uploaded to or used in the cloud environment. In order to remain compliant, Google Contacts, Google+, and other Google products that are not considered “core services” must be disabled.
Is OneDrive HIPAA compliant? OneDrive supports HIPAA compliance.
As one of the first cloud service providers to offer BAAs for healthcare companies, Microsoft certainly has HIPAA compliance on its mind. Microsoft BAAs cover products including OneDrive for Business, Azure, Dynamics 365, Office 365, and Power BI.
The terms of Microsoft’s BAA require it to place limitations on the use and disclosure of PHI, safeguard it against inappropriate use, and report to consumers and provide them access to their own PHI when requested. To that end, Microsoft’s security standards include 256-bit AES encryption and 2048-bit keys establishing SSI/TLS connections; independent audits ensure ISO/IEC 27001 and HITRUST CSF certifications. Because Microsoft is such an enormous company, it’s helpful to note that all its subcontractors are also required to uphold the same standards and restrictions regarding PHI.
Even the most advanced cloud solutions still need to be configured properly for your company to be HIPAA compliant. Symmetry Systems can help; DataGuard is a hybrid security data platform that helps businesses leveraging hybrid cloud infrastructures get a handle on their data security posture. By arming security, compliance, and cloud teams with the tools necessary to protect PHI across hybrid cloud environments, DataGuard ensures that no sensitive information is left vulnerable to compromise. Want to learn more? Contact us to schedule a demo today.