Best HIPAA Compliant Cloud Storage
Before we start figuring out which is the best HIPAA compliant cloud storage, let us learn a thing or two about it.
HIPAA or the Health Insurance Portability and Accountability Act sets a standard that cloud services and businesses need to follow in case they hold sensitive patient information. Covered entities who treat patients and business associates that have access to patient information must all work in a HIPAA compliant environment.
What Are The Responsibilities Of A Cloud Service Provider?
A cloud service provider must make sure to follow the guidelines of HIPAA compliance. Here’s what they consist of:
- All data must be encrypted while in transit or at rest on the servers.
- The cloud service provider must implement security and privacy policies that ensure that all PHI (protected health information) is being treated accordingly to HIPAA compliance.
- Physical access to the data centre must be restricted.
- Disaster Recovery: Cloud service provider must ensure that all the data is saved securely even in the case of a mechanical failure. That’s achieved with redundancy and backup systems.
- Supervision and appropriate training of personnel at data servers and employees in the company.
What Are The Responsibilities Of The Covered Entity?
The cloud service provider isn’t the only one that has to make sure all the PHI is saved securely. The business owner or the covered entity must also follow the guidelines:
- The covered entity must sign a HIPAA BAA (Business Associate Agreement) before it uploads any PHI to the cloud.
- It must also make sure that all of the devices that have access to the PHI are protected accordingly.
- Protecting login information to the cloud service software.
- Implementation and enforcement of various policies that describe how employees should handle the PHI.
What Is A HIPAA BAA?
HIPAA BAA or HIPAA Associate Business agreement is a document that both parties sign before any cooperation begins.
This document puts the legal liability on the cloud provider and also opens the cloud provider up to audits by the US federal government. The US federal government conducts regular HIPAA compliance audits across all covered entities, including cloud service providers.
The document describes various definitions, obligations of both parties, permitted uses and disclosures, terms and other misc.
The Consequences Of A Data Breach
A cloud service provider can’t simply declare themselves to be HIPAA compliant. A data breach could result in the shutdown of the cloud service provider, an expensive lawsuit and millions of dollars in fines.
From a cloud service provider perspective, HIPAA compliance comes at a high cost. It’s expensive to implement and maintain. They need a legal team to review the BAA, various policies that ensure that all employees are handling the PHI accordingly to HIPAA. Implementation of the right technology and infrastructure is also needed to ensure all HIPAA guidelines are being followed.
If a data breach happens, the cloud service needs to undergo an extensive and expensive audit to clear them from liability, even if the fault was client-side. To get a full grasp of how to avoid getting penalized for a breach check out this full guide.
Here are a few examples of the seriousness of HIPAA:
- Memorial Healthcare Systems (MHS) – HMS from Florida had to recently pay a $5.5 million HIPAA settlement. The data breach happened back in 2012 where HMS employees inappropriately accessed sensitive patient information – Original article.
- Concentra Health Services in Springfield, Missouri had to pay more than $1.7 million in fines due to a stolen laptop that had access to sensitive PHI – Original article.
- Arkansas’ QCA Health Plan, Inc. had to pay $250.000 for the same reason which resulted in an exposure of sensitive information of 148 patients – Original article.
Best HIPAA Compliant Cloud Storage
Sync uses “Zero-Knowledge” platform which guarantees your privacy by encrypting and decrypting your data client-side. Moreover, the encryption keys that are used to encrypt your files aren’t in the hands of Sync, but only you. Even the password to your account is unknown to them. HIPAA compliance is available to business users. Before you start cooperating with them, you’ll sign the BAA.
Read the Sync.com review here.
What do you think about my “Best HIPAA Compliant Cloud Storage” article? Share your opinion in the comment section down below!