HIPAA and Cloud Data Storage: What You Need to Know

5 min read
Jul 27, 2022 5:26:45 PM

Cloud storage solutions offer countless benefits to healthcare professionals, but they also pose some unique challenges. Security professionals working in the medical field, as well as technology companies dealing with healthcare institutions, safeguard not only the data of their employer but also the personal health information of consumers who interact with these entities. The sensitivity of that information requires that singular care be taken with the handling of that information. This article will explore some of the considerations security professionals need to know when structuring a HIPAA cloud storage strategy.

Jump to a section…

What Does HIPAA Have to do With Cloud Data Storage?
What Does a Cloud Data Storage Service Need to be HIPAA Compliant?
What Are Some Examples of HIPAA-Compliant Cloud Data Storage Services?
    Dropbox
    Google Drive
    Microsoft OneDrive
    AWS
How Can IT and Software Development Professionals Ensure Their Products Are HIPAA Compliant?
What Are The Penalties for Storing HIPAA Data in Non-Compliant Cloud Storage?
What Are Some Examples of HIPAA Violations and Associated Penalties?
Protect Your Enterprise’s Data Across the Cloud

font-family: 'Jost', sans-serif;

Ensure your data and network are HIPAA compliant with HIPAA Cloud Storage Requirements: The Essential Guide.

What Does HIPAA Have to Do With Cloud Data Storage?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that established national standards to protect personal and sensitive health information from being disclosed without the patient’s consent. Though it was created largely before the advent of cloud and hybrid data storage solutions, it still governs their use when related to the storage and transmission of HIPAA data in cloud environments.

“Non-cloud” violations of HIPAA law can be serious — one such case involved a doctor’s office mistakenly disclosing a patient’s HIV status after faxing medical records to the patient’s place of work instead of the patient’s new health care provider — but a potential data breach in a HIPAA cloud storage environment could expose thousands or even millions of patient records at once.

Back to top

What Does a Cloud Data Storage Service Need to be HIPAA Compliant?

The US Department of Health and Human Services (HHS) oversees HIPAA and its enforcement. HHS created the HIPAA Security Rule to protect all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (ePHI). HHS publishes an invaluable resource, “Guidance on HIPAA and Cloud Computing,” that assists any covered entities (health plans, health care clearinghouses, or health care providers that conduct certain billing and payment-related transactions electronically) as well as cloud services providers (CSPs), in understanding their HIPAA cloud storage obligations.

CSPs must take a number of steps to become compliant, including implementation of two-step authentication or single sign-on and encryption of transferred ePHI; proper encryption following NIST standards; data classification procedures; and demonstration of adequate monitoring activity. Even then, providers cannot use the platform in conjunction with ePHI until a risk analysis is completed. This is known as 45 CFR § 164.308 and is the section of the Code of Federal Regulations that contains the Administrative Safeguards of the HIPAA Security Rule. Added in 2003, these safeguards include eight standards that are designed to:

  • Ensure the confidentiality, integrity, and availability of ePHI
  • Protect ePHI against reasonably anticipated threats
  • Protect ePHI against unauthorized uses and disclosures
  • Ensure employee compliance with the Security Rule

An additional step for CSPs is the administration of a Business Associate Agreement (BAA). A BAA is a contract between a covered entity and a service provider that establishes the allowable uses and disclosures of PHI, states that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explains all elements of HIPAA rules that apply to the platform provider. The BAA must be obtained from the cloud platform provider by a covered entity before any ePHI is uploaded to the platform. The HHS offers a helpful sample BAA for general usage.

Back to top

What Are Some Examples of HIPAA-Compliant Cloud Data Storage Services?

Your first step in ensuring HIPAA compliance in data storage should be to identify a CSP with the above-mentioned Business Associate Agreement. Here are some of the better-known cloud storage providers with HIPAA-compliant options:

Dropbox

Dropbox has established a separate service for businesses seeking a HIPAA-compliant cloud solution, and it offers guidance for companies looking to use its services for healthcare-related information.

Google Drive

Google Drive can be used as a HIPAA-compliant solution, but first you must request a BAA from Google using your G Suite account. The company has published extensive documentation on HIPAA compliance using Google Apps, including this eBook.

Microsoft OneDrive

Much like Google Drive, Microsoft OneDrive can be used for HIPAA by requesting a BAA from Microsoft. This path is an attractive solution to some organizations that already use Microsoft’s suite of products due to the straightforward integration process. Additional information from Microsoft on HIPAA compliance can be found here.

AWS

Amazon has invested heavily in educating the market about cloud solutions and the healthcare space is no exception. They have extensive documentation on best practices and how to get started, including this extensive white paper.

Back to top

How Can IT and Software Development Professionals Ensure Their Products Are HIPAA Compliant?

The HIPAA Security Rule outlines a HIPAA compliance checklist for software development. Below is a list of all the necessary elements for HIPAA-compliant software, based on the safeguards listed in the HIPAA Security Rule. The implementation of these elements will allow your software to ensure both ePHI security and privacy.

  • User authorization
  • Access control
  • Authorization monitoring
  • Data backup
  • Remediation plan
  • Emergency mode
  • Automatic log off
  • Data encryption and decryption

In addition, HHS provides the NIST HIPAA Security Toolkit Application, a self-assessment survey intended to help organizations better understand the requirements of the HIPAA Security Rule. A comprehensive user guide and instructions for using the application are available along with the HSR application.

Back to top

What Are The Penalties for Storing HIPAA Data in Non-Compliant Cloud Storage?

The costs of implementing and administering a HIPAA cloud storage architecture are not insignificant. However, the cost of non-compliance to HIPAA can be far more severe. Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office of Civil Rights (OCR) as well as by state attorneys general, and they are tiered based on whether a covered entity knowingly violated the law.

Financial penalties are meant to serve as a deterrent to prevent a violation of HIPAA laws, as well as to hold an entity accountable for violating the trust of patients. Minimum fines run from $100 per violation on the lower end to a minimum of $50,000 per violation for willful neglect of HIPAA regulations. Violations can also result in jail time.

Back to top

What Are Some Examples of HIPAA Violations and Associated Penalties?

The OCR’s so-called “HIPAA Wall of Shame” is a database that lists all organizations with healthcare data breaches that impacted more than 500 individuals in the previous 24 months. Looking further back, here’s one example of a particularly large violation from the last five years: Health insurance company Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines.

Aetna reported that 5,002 individuals were affected by this breach, and the PHI disclosed included names, insurance identification numbers, claim payment amounts, procedures, service codes, and dates of service. Aetna paid $1 million to settle the resulting lawsuit, which also covered two other independent breaches.

Back to top

Protect Your Enterprise’s Data Across the Cloud

Understanding, implementing, and maintaining a HIPAA-compliant cloud structure is critical to any organization providing healthcare services. Symmetry Systems’ DataGuard can help. Symmetry was recognized by Gartner in its “2022 Cool Vendor” report as a leading cloud data posture management solution, which you can download here. Contact us today to learn more.

No Comments Yet

Let us know what you think