“What are my options for HIPAA compliant cloud storage? ”
In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience is undeniable– the ability to access your data from anywhere is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services fit the bill?
There are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When PHI is out of your hands and stored off-site (as cloud storage is), you need to be absolutely sure that your data is safe.
So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:
Do you want to share data between employees?
Google Cloud Storage
Our favorite service, hands down, is Google Drive, which is part of Google’s excellent G Suite. It’s one of the easiest services to use and a great value for the price. PCMagazine also loves it, giving Google Drive a five star rating in 2016.
Google will sign a HIPAA Business Associate Agreement (BAA). It covers Gmail, Google Drive, Google Calendar, and Google Vault. If you set the file sharing up properly in Google Drive, it’s a great choice for HIPAA compliant cloud storage. Learn more about G Suite here.
Microsoft Office 365
Microsoft will also sign a BAA for mail, file storage, calendars, and other aspects of Microsoft Online. While they are a bit harder to use than G Suite, Microsoft offers some terrific data loss prevention tools that can help to keep you safer.
Do you want to share data with other companies?
G Suite and Microsoft Office 365 (reviewed above) can definitely share data securely with other companies. You need to be careful, though, about how you set up the sharing to make sure you don’t accidentally expose your PHI to the internet.
However, you might not need the other features that come with these services. If you already use another service for email, calendaring, and file editing, then you might want to go with a dedicated file sharing service. Here are some good options.
People often ask “Is Dropbox HIPAA compliant?” You bet it is! The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Fortunately, Dropbox is HIPAA compliant now with their Dropbox Business service (https://www.dropbox.com/business). This includes signing a BAA with you to meet all the requirements.
Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a business associate agreement. You can find more detailed information on their compliance on their website.
Do you want to back up your data safely to the cloud?
All of the previous services mentioned can be used for safe, HIPAA compliant backups. However, they require some configuration and oversight.
One of the best protections against ransomware attacks is to have a good, up to date backup. It’s also one of the best ways to protect your business from interruption if your computers are lost, stolen, or damaged.
Here are three great HIPAA-compliant backup services:
SpiderOak offers a great “set it and forget it” backup service. You install their program on your computer, and all of your files are safely and automatically backed up to the cloud.
One of the reasons we love them is due to their “zero knowledge” policy. They encrypt every single possible aspect of their service, which means there is no way their staff could access your data without your involvement. And they’re happy to sign a HIPAA BAA. Sign up for a free trial here.
Carbonite is another popular backup service. They are willing to sign a HIPAA BAA.
Amazon S3 Glacier
Want to save a TON of money and don’t mind some technical work? Amazon S3 Glacier is dirt cheap, but requires you to be IT savvy to use it for regular backups. It also covered by the HIPAA BAA that Amazon will sign.
Do you want to host your applications in the cloud?
Amazon Web Services
We are huge fans on Amazon Web Services (AWS). Their security is top notch and they’re happy to sign a HIPAA Business Associate agreement.
We’ve written some articles to help you get started, including “Getting Started with AWS Cloud Security – 14 Step Guide” and “Secure Cloud Computing: 7 Ways I’d Hack You On AWS“.
What about the other guys?
We also reviewed a number of other popular cloud storage and backup providers.
Backup company CrashPlan does offer to sign a HIPAA BAA. However, you need to move up to their Enterprise plan. This might make sense if you’re a large company, but it’s pretty expensive.
We’ve found this is a great litmus test. You can quickly and easily tell how seriously a cloud storage company takes HIPAA compliance with a simple google search.
Just type: “business associate agreement site:vendor.com” into a Google search, like this:
If you get a result like this, then move on to another provider!
What’s the best HIPAA compliant cloud storage service?
Because of its reasonable price, robust features, high level of security, and willingness to sign a HIPAA business associate agreement, we use and recommend Google Drive, which is part of Google’s G Suite. G Suite includes cloud storage, hosted email, and robust online file editors.
We’ve written an e-guide called “HIPAA Compliance Guide for Gmail / G Suite,” an e-book with 17 tips you can use to make sure you’re setting up G Suite the right way. You can download it here.
We also offer a paid service that will help you manage both G Suite/Office 365 and your practice in a HIPAA-compliant manner. Learn more about our “HIPAA for Gmail and Office365” services here.