“What are my options for HIPAA compliant cloud storage? ”
In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience factor is undeniable– the ability to access your data from anywhere, on any device, universally synced, is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services fit the bill?
There are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When the PHI is completely out of your hands and stored on an off-site network (as cloud storage is), you need to be absolutely sure that your data is properly encrypted in case of a breach.
So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:
- Dropbox – The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Fortunately, Dropbox is HIPAA compliant now with their Dropbox Business service (https://www.dropbox.com/business). This includes signing a BAA with you to meet all the requirements.
- Amazon S3 – Amazon S3 is HIPAA compliant and they also sign BAA with businesses. They currently offer the following services that are all HIPAA compliant: Amazon DynamoDB, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, Amazon Elastic MapReduce (Amazon EMR), Amazon Glacier, Amazon Redshift, Amazon Relational Database Service (Amazon RDS) for MySQL, Amazon RDS for Oracle, Amazon Simple Storage Service (Amazon S3) and AWS Import/Export Snowball. Amazon maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically support all the safeguards required under HIPAA.
- iCloud – Apple refuses to sign a BA agreement and there is no way to ensure the security of your information in the cloud, so best to keep your PHI away from this service.
So now that we’ve eliminated many of the most popular go-to cloud storage services, what’s left? Are there any HIPAA compliant cloud storage providers?
Thankfully, there are. Some of the most notable include:
- Google Drive – As of September 2013, Google Apps for Business allows the domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. If the administrator disables all other Google Services from the domain and makes sure their business keeps appropriate password policies, etc, then Google Drive is a viable choice for HIPAA compliant cloud storage. Get a free trial here.
- Microsoft Office 365 – Microsoft also will sign a BAA that covers mail, file storage, calendars, and other aspects of the Microsoft Online offering. They also offer an impressive set of data loss prevention controls for outbound email. Get a free trial here.
- Box – Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a business associate agreement. You can find more detailed information on their compliance on their website.
- Egnyte – Egnyte advertises their services as HIPAA compliant and is willing to sign a BAA. However, some concerns have been raised about their level of security (particularly, this 2012 blog post from a healthcare IT provider) so you may want to proceed with caution.
You should not take storing data “in the cloud” lightly. Also, even with a signed Business Associate Agreement, the burden falls on you to make sure that your data is secure when hosted at a HIPAA compliant cloud storage provider. For example:
- The way you get data on to the cloud servers must be encrypted.
- Your data must be encrypted when it’s on the cloud servers.
- The method you use for taking data out of the cloud servers must be encrypted.
- Any data downloaded from the cloud servers must be properly protected.
What’s the best HIPAA compliant cloud storage service?
Because of its reasonable price, robust features, high level of security, and willingness to sign a HIPAA business associate agreement, we use and recommend Google for Work. Google for Work includes cloud storage, hosted email, and robust online file editors.
By following this link, you can sign up for a free trial of Google’s paid Apps service.
While the service is only $5/user/month, if you use the form at right you can also get a coupon for 20% off your first year.
Disclosure: Please note that the link to Gmail above is an affiliate link. At no additional cost to you, we will earn a commission if you decide to make a purchase. We recommend Gmail because we use it and find it helpful and useful, not because of the small commissions we make if you decide to buy something. Please do not spend any money on Google unless you feel you need it or that it will help you achieve your goals.