HIPAA Compliance storage in “the cloud”
Cloud data storage is a common and convenient option for healthcare organizations. According to Acumen Research and Consulting, the global Healthcare Cloud Computing market is expected to grow at a rate of 14% annually, and reach $40 billion by 2026. Benefits of cloud data storage include convenience, decentralization, and usually increased reliability and security.
The goal of HIPAA is to protect the confidentiality, integrity, and availability of protected health information (PHI). Using a cloud data storage solution to securely store ePHI can help healthcare organizations achieve that goal. While storing data in the cloud can serve as a tool to work toward those aims of HIPAA compliance, there are a few things covered entities should be aware of when using a cloud storage provider (CSP).
Whether or not you comply with HIPAA in your data storage depends on the actions of both the covered entity and the CSP. If some or all of your data is “in the cloud,” you would need to work with your CSP to ensure that a business associate agreement (BAA) is created and signed, and sufficient security controls are in place.
What is the cloud?
The word cloud implies something nebulous and fleeting, but a lot of people don’t realize that “the cloud” is really a group of physical servers someone else sets up and manages. All of the security controls that would apply to physically managed, on-site systems still apply in some way to cloud security.
Can you store ePHI in the cloud?
Yes; you can store ePHI in the cloud, as long as you have a BAA in place and apply the same HIPAA security requirements to the ePHI located in the cloud as you would to ePHI on premises.
Who manages cloud security? Me or my cloud service provider?
In most cases, the basics of cloud security, like server hardening, patching, and firewall configuration, are managed by the cloud service provider. Your provider should provide you with an agreement that outlines what security they provide and what security is configurable, either by them or by you. When choosing how to configure the security, start with security guides that your cloud service provider has created.
When a covered entity (or business associate) contracts with a CSP to process or store ePHI on its behalf, the CSP is considered a business associate (BA) under HIPAA.
The healthcare entity and the CSP must enter into a HIPAA-compliant business associate agreement. The CSP is then contractually obligated to meet the terms of the BAA and responsible for compliance with the applicable HIPAA requirements.
“In addition to its contractual obligations, the CSP, as a business associate, has regulatory obligations and is directly liable under the HIPAA Rules if it makes uses and disclosures of PHI that are not authorized by its contract, required by law, or permitted by the Privacy Rule. A CSP, as a business associate, also is directly liable if it fails to safeguard ePHI in accordance with the Security Rule, or fails to notify the covered entity or business associate of the discovery of a breach of unsecured PHI in compliance with the Breach Notification Rule.”
Essentially, your CSP is responsible for the security of ePHI it stores, and can be held liable in the event of a data breach.
Choosing a cloud service provider
When choosing a cloud service provider, make sure they will sign a BAA. They should know that the data you will store with them is protected by HIPAA and that you must follow its rules and privacy guidelines. If a vendor won’t sign a BAA, then that’s a good sign that they won’t keep your ePHI secure.
Large cloud vendors are often perceived as a safe choice, as they have the resources and staff to devote to security.
At age 5, Joshua Black wanted to be an inventor. At 9, he learned to program and was completely hooked. Josh's first job in IT was at age 15, and he has worked in the industry ever since. Josh has been with SecurityMetrics for 5 years, serves on the Enterprise Audit Team, and has completed over 100 assessments. He holds CISSP, CISA, CCSFP, PA-QSA, and QSA credentials.