“What are my options for HIPAA compliant cloud storage? ”
In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience is undeniable– the ability to access your data from anywhere is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services provide the most secure cloud storage options?
There are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When PHI is out of your hands and stored off-site (as cloud storage is), you need to be absolutely sure that your data is safe.
So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:
Google Cloud Storage
Our favorite service, hands down, is Google Drive, which is part of Google's excellent G Suite. It's one of the easiest services to use and a great value for the price to achieve the most secure cloud storage option. PCMagazine also loves it, giving Google Drive a five star rating in 2016.
Google will sign a HIPAA Business Associate Agreement (BAA). It covers Gmail, Google Drive, Google Calendar, and Google Vault. If you set the file sharing up properly in Google Drive, it's a great choice for HIPAA compliant cloud storage.
Learn more about our HIPAA Compliant G Suite services here.
Microsoft will also sign a BAA for mail, file storage, calendars, and other aspects of Microsoft Online. While they are a bit harder to use than G Suite, Microsoft offers some terrific data loss prevention tools that can help to keep you safer.
Microsoft's file sharing service (OneDrive) also got a great rating, 4.5 stars from PCMagazine in 2016.
Learn more about our HIPAA Compliant Office365 services here.
G Suite and Microsoft Office 365 (reviewed above) can definitely share data securely with other companies. You need to be careful, though, about how you set up the file sharing for compliance to make sure you don't accidentally expose your PHI to the internet.
However, you might not need the other features that come with these services. If you already use another service for email, calendaring, and file editing, then you might want to go with a dedicated file sharing service. Here are some good options.
People often ask "Is Dropbox HIPAA compliant?" You bet it is! The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Fortunately, Dropbox is HIPAA compliant now with their Dropbox Business service (https://www.dropbox.com/business). This includes signing a BAA with you to meet all the requirements.
Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a business associate agreement. You can find more detailed information on their compliance on their website.
All of the previous services mentioned can be used for safe, HIPAA compliant cloud storage. However, they require some configuration and oversight.
One of the best protections against ransomware attacks is to have a good, up to date backup. It's also one of the best ways to protect your business from interruption if your computers are lost, stolen, or damaged.
Here are three great HIPAA-compliant backup services:
SpiderOak offers a great "set it and forget it" cloud backup service. You install their program on your computer, and all of your files are safely and automatically backed up to the cloud.
One of the reasons we love them is due to their "zero knowledge" policy. They encrypt every single possible aspect of their service, which means there is no way their staff could access your data without your involvement. And they're happy to sign a HIPAA BAA.
Carbonite is another popular backup service. They are willing to sign a HIPAA BAA.
Want to save a TON of money and don't mind some technical work? Amazon S3 Glacier is dirt cheap, but requires you to be IT savvy to use it for regular backups. It also covered by the HIPAA BAA that Amazon will sign.
We are huge fans on Amazon Web Services (AWS). Their security is top notch and they're happy to sign a HIPAA Business Associate agreement.
We've written some articles to help you get started, including "Getting Started with AWS Cloud Security – 14 Step Guide" and "Secure Cloud Computing: 7 Ways I’d Hack You On AWS".
We also reviewed a number of other popular cloud storage and backup providers to see if they could be considered HIPAA compliant cloud storage.
Backup company CrashPlan does offer to sign a HIPAA BAA. However, you need to move up to their Enterprise plan. This might make sense if you're a large company, but it's pretty expensive.
We've found this is a great litmus test. You can quickly and easily tell how seriously a cloud storage company takes HIPAA compliance with a simple google search.
Just type: "business associate agreement site:vendor.com" into a Google search, like this:
If you get a result like this, then move on to another provider!
Because of its reasonable price, robust features, high level of security, and willingness to sign a HIPAA business associate agreement, we use and recommend Google Drive, which is part of Google's G Suite. G Suite includes cloud storage, hosted email, and robust online file editors, and is one of the best HIPAA compliant cloud storage services out there.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!