Blog

HIPAA Cloud Storage Requirements: The Essential Guide

Female medical professional holding a cell phone standing by a plant

Companies of all sizes need to consider which regulatory standards apply to their business models. While achieving compliance can be complex, it’s a far more efficient and affordable strategy than cutting corners and facing data breaches down the line. HIPAA compliance is a smart long-term business move, and is also the law for any company handling patient information or medical data in the cloud. Here’s what you need to know to determine how HIPAA cloud storage requirements impact your business.

Jump to a section…

HIPAA Cloud Storage Requirements: What You Need to Know
The 5 Best HIPAA-Compliant Cloud Storage Solutions
The 8 Best HIPAA Compliance Resources

To learn more about how Symmetry Systems DataGuard can help strengthen your data security posture, contact us today.

HIPAA Cloud Storage Requirements: What You Need to Know

HIPAA stands for Health Insurance Portability and Accountability Act. The federal law was enacted in 1996 to protect personal and sensitive health information from being disclosed without the consent of the patient. The US Department of Health and Human Services (HHS) is responsible for overseeing and enforcing HIPAA regulations, including the HIPAA Security Rule, which protects any electronic protected health information (ePHI) that is created, received, maintained, or transmitted digitally. HIPAA clearly applies to healthcare providers, hospitals, doctors’ offices, clinics, etc., but it also impacts any organization that stores, uses, or transmits ePHI.

Ready to brush up on the basics of HIPAA compliant cloud storage? Read our introductory guide to the topic: HIPAA and Cloud Data Storage: What You Need to Know.

There are many steps cloud service providers must take to become HIPAA compliant, including implementing multi-factor authentication, encryption standards, data classification protocols, and access monitoring and controls. Risk analysis and the signing of a Business Associate Agreement (BAA) are also required steps for providers to be in compliance. BAAs govern the relationship between a HIPAA-covered entity and the service provider, ensuring that the ePHI in question is protected by all the required safeguards. Only after all these steps are complete can companies begin to upload ePHI to their cloud data storage platform.

Want to learn more about the details of HIPAA compliance and the penalties for non-compliance? Read our article: What Is Required for HIPAA Compliant Cloud Storage?

The 5 Best HIPAA-Compliant Cloud Storage Solutions

The truth is that there’s no such thing as a HIPAA-compliant cloud storage solution; it’s how you use the solution that matters most. Most cloud storage providers avoid advertising themselves as HIPAA-compliant for that reason, and instead talk about being in support of HIPAA compliance. There’s only so much they can do as providers, but many work closely with the companies that use their solutions to help them achieve compliance using their software.

  1. Box: Box promotes itself as a HIPAA-compliant secure cloud storage and file sharing solution. Many healthcare companies choose Box because it supports medical imaging files with specific secure viewing features that are crucial to providing care. Box offers customers BAAs, supports integrations with popular apps, and can show third-party audit reports upon request.
  2. Carbonite: Carbonite supports HIPAA compliance from its certified Tier 4 Microsoft Azure data centers to cloud-based security features like 256-bit AES encryption and Transport Layer Security. It’s also focused on helping manage the risk of human error by eliminating extraneous passwords for employees, preventing unauthorized access, and supporting the creation of port lockdown policies.
  3. Dropbox: Becoming a Dropbox business user unlocks access to BAAs, third-party audit reports, and a range of security recommendations. HIPAA-specific features support critical security actions like configuring permissions, disabling deletions, monitoring access and activity, and working with third-party applications without sacrificing compliance.
  4. Google Cloud: Google Cloud maintains a range of annual audits and certificates conducted by third parties, including SSAE16/ISAE 3402 Type II, ISO 27001, ISO 27017, ISO 27018, FedRAMP ATO, and PCI DSS v3.2.1. Beyond that, all the apps included in G Suite support HIPAA compliance and Google offers guidance on best practices to configure and implement its tools in accordance with regulation.
  5. Microsoft OneDrive: Microsoft offers BAAs that cover core products including OneDrive for Business, Azure, Dynamics 365, Office 365, and Power BI. In supporting HIPAA compliance, Microsoft uses 256-bit AES encryption and 2048-bit SSI/TLS connections and also maintains third-party audit reports demonstrating its ISO/IEC 27001 and HITRUST CSF certifications.

Choosing the right HIPAA-compliant solution for your business starts here: The 5 Best HIPAA Compliant Cloud Storage Solutions.

The 8 Best HIPAA Compliance Resources

There is no single centralized process that developers or the organizations they work for can use to become HIPAA compliant, but there are various resources and tools out there that can help companies of all sizes demonstrate their commitment to compliance. In the education category, these are a few of the resources available for anyone seeking a deeper hands-on understanding of the ins and outs of HIPAA compliance:

  1. HealthIT.gov: An official US government resource IT teams can use to maintain data security, analyze risk, educate employees, and earn certifications.
  2. Aptible: A complete guide of the most important information tech startups and small businesses need to get started with HIPAA compliance.
  3. HIPAATraining.com: Training resources designed to support individuals, small to medium-sized businesses, and companies like Goodwill, Zappos, and Ancestry.
  4. ScienceSoft: Consulting services include PHI risk analysis, HIPAA policy and implementation review, and IT security gap detection.
  5. RubyGarage: After conducting a holistic security review, RubyGarage helps develop security and vulnerability management plans that support long-term compliance.
  6. Symmetry Systems DataGuard: Real-time comprehensive snapshots of your most sensitive data inform recommendations of actions that will strengthen your security posture and ensure HIPAA compliance in hybrid cloud environments.
  7. SecureFrame: A team of compliance experts will help design HIPAA policies and train your team on how to implement and monitor them using the SecureFrame platform.
  8. Medstack: HIPAA-compliant development environments use minimal code and allow developers to iterate and deploy within existing CI/CD pipelines.

Those seeking a more personalized approach might be interested in hiring consultants to review their compliance efforts and provide insight into the most effective next steps. Here are a few options in the consulting realm:

There are also dedicated tools that can help companies manage compliance for the long haul, no matter how their internal infrastructure grows and external vulnerabilities evolve.

Ready to support your HIPAA compliance strategy with dedicated resources? Read our post all about the The 8 Best HIPAA Compliance Certifications and Training Resources.

No matter how compliant your tools and solutions are, they still need to be accurately configured for your company to achieve HIPAA compliance. That’s where Symmetry Systems DataGuard comes in; the hybrid security data platform helps businesses leveraging hybrid cloud infrastructures strengthen their data security posture. DataGuard ensures that no sensitive information — including ePHI — is left vulnerable to compromise by arming hybrid cloud teams with the tools necessary to protect it. Want to learn more? Contact us to schedule a demo today.