“What are my options for HIPAA compliant cloud storage?”
In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience factor is undeniable– the ability to access your data from anywhere, on any device, universally synced, is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services fit the bill?
There are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When the PHI is completely out of your hands and stored on an off-site network (as cloud storage is), you need to be absolutely sure that your data is properly encrypted in case of a breach.
So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:
- Dropbox – The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Unfortunately, Dropbox is not HIPAA compliant. HIPAA would require that all aspects of a PHI file — even the name, which can potentially hold identifying information — be encrypted and private. Dropbox keeps metadata which includes the file name, which is not secure. It also lacks the audit controls that HIPAA demands.
- Amazon S3 – Amazon S3 in and of itself is not HIPAA compliant, but Amazon AWS as a whole can be used to create HIPAA-compliant cloud storage — unfortunately, it won’t be easy. Amazon AWS isn’t HIPAA compliant “out of the box.” Rather, they give you dedicated servers and a HIPAA business associate agreement, but the rest is up to you if you want to create HIPAA compliant storage. Doing so might be more complicated than you’re willing to get into alone, but if you have an IT professional to work with, it’s definitely worth a look.
- iCloud – Apple refuses to sign a BA agreement and there is no way to ensure the security of your information in the cloud, so best to keep your PHI away from this service.
So now that we’ve eliminated many of the most popular go-to cloud storage services, what’s left? Are there any HIPAA compliant cloud storage providers?
Thankfully, there are. Some of the most notable include:
- Google Drive – As of September 2013, Google Apps for Business allows the domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. If the administrator disables all other Google Services from the domain and makes sure their business keeps appropriate password policies, etc, then Google Drive is a viable choice for HIPAA compliant cloud storage. Get a free trial here.
- Microsoft Office 365 – Microsoft also will sign a BAA that covers mail, file storage, calendars, and other aspects of the Microsoft Online offering. They also offer an impressive set of data loss prevention controls for outbound email. Get a free trial here.
- Box – Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a business associate agreement. You can find more detailed information on their compliance on their website.
- Egnyte – Egnyte advertises their services as HIPAA compliant and is willing to sign a BAA. However, some concerns have been raised about their level of security (particularly, this 2012 blog post from a healthcare IT provider) so you may want to proceed with caution.
- Symform – Symform is an enterprise cloud storage service that is willing to sign a BAA and claims to be HIPAA compliant, focusing especially on backup and disaster recovery. They have more details and links to several whitepapers on their site that outline the ways that you can use Symform to store or backup PHI.
You should not take storing data “in the cloud” lightly. Also, even with a signed Business Associate Agreement, the burden falls on you to make sure that your data is secure when hosted at a HIPAA compliant cloud storage provider. For example:
- The way you get data on to the cloud servers must be encrypted.
- Your data must be encrypted when it’s on the cloud servers.
- The method you use for taking data out of the cloud servers must be encrypted.
- Any data downloaded from the cloud servers must be properly protected.