Dejan Miladinovic January 13th, 2020

HIPAA Compliance Within Cloud Storage

Cloud storage providers are also adapting to the latest standards by increasing the security and privacy of your files online. Acquiring HIPAA compliance is certainly a big step for any cloud storage provider.

What Is HIPAA Compliance?

HIPAA compliance or the Health Insurance Portability and Accountability Act was put into law by the US Congress back in 1996 during the Bill Clinton presidency. It has been since then updated to reflect all the new technology advancements. The act primarily serves as guidelines which protect sensitive patient information. 

The act applies to various companies and organisations that operate in the US. Canada, for example, has their PIPEDA and EU has its Directive on Data Protection. All of these acts make sure that companies and organisations handle personally identifiable information and patient information responsibly and in a secure manner.

HIPAA Compliance Within Cloud Storage

The HIPAA applies to cloud storage providers as well. That is if they choose to provide HIPAA compliance to their customers. If you’re a personal user that doesn’t own a business the HIPAA compliance means pretty much nothing to you. It does convey a certain message though. The message is that the cloud storage provider in question truly went the extra mile to ensure the security and privacy of your files. It’s not enough that the provider provides the necessary software and infrastructure. They must also employ lawyers and other employees that oversee the HIPAA compliance, make sure everything is in accordance with the law and handle interactions with businesses that require HIPAA compliance.

Be careful though, most cloud storage providers don’t, in fact, provide HIPAA compliance to personal users. Well, you don’t need it in the first place so why should you care? HIPAA compliance means that your files are handled in a secure manner in accordance with the act. In some cases that means different handling of your files by the cloud storage provider.

The moral of the story, don’t fall for the “HIPAA Compliant” advertisement. In most cases, that is only provided to business users.

HIPAA Compliant Cloud Storage For Businesses & Organisations

If you are a company or an organisation that deals with sensitive patient information and you operate within the US you will require a safe place to store that data. HIPAA compliant cloud storage providers are one option.

Dangers

By moving that data to the cloud you’re ensuring the privacy and security of that data. It’s important to pick the right cloud storage provider that provides HIPAA compliance though. Why would you care about this though? Well, it turns out that it’s not the best idea to let some of that precious data reach the wider public or anyone unauthorised for that matter. Huge fines have been issued to companies and organisations that had a security breach on their record:

  • Feb 7th 2019: Cottage Health had to pay $3.000.000 in fines due to the failed implementation of security measures that would be sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Oct 16th 2018: Anthem had to pay $16.000.000 due to a data breach. The cyber-attackers got into their system via an employee that responded to a malicious e-mail and stole the ePHI of 79.000.000 individuals.
  • Feb 16th 2017: Memorial Healthcare Systems had to pay $5.500.000 due to lack of audit controls over their employees. The login credentials of a former employee have been used over the course of one year to access the ePHI of about 80.000 individuals. MHS is actually a nonprofit organisation and still, it was slammed for the breach of HIPAA.

These 3 fines were just some of the larger examples over the course of these 3 years. From 2015 to 2019 a total of 94,044,400 US dollars were taken by the U.S Department of Health and Human Services in the form of fines and settlements.

If you’re a business or an organisation you should really take the HIPAA compliance seriously. A fine like this one will not only bury you financially but also leave a big stain on your reputation, a stain that’s very hard to remove.

HIPAA Compliance As A Marketing Tool

We live in an era where privacy is pretty much non-existent unless you turn the switch off and live in a forest hut with no water and electricity. Well, you could have both but you know what I mean. The need for privacy is increasing year after year, with social media taking over the world, data breaches happening everywhere and various “spying” affairs popping up everywhere. HIPAA compliance can as such be used as a powerful marketing tool. Even if you only operate within Europe for example, go for a cloud storage that is HIPAA compliant and stick that “HIPAA Compliance Badge” on the front page of your business website. Ensure your customers that their data is safe with you and they will be much more inclined to interact with you and ultimately buy whatever it is you’re trying to sell.

How Does A Cloud Storage Ensure HIPAA Compliance?

HIPAA compliance is not an easy task for a cloud storage provider. They have to build their service from the ground up in a way to support this level of privacy. That can be achieved with numerous steps:

  • All of the sensitive ePHI (protected health information) must be encrypted (preferably with client-side encryption) both while files are being transferred and while they’re on their servers.
  • The cloud storage provider must implement a privacy policy that ensures all ePHI is handled in accordance with HIPAA.
  • Data centres must have restricted access and only available to trained personnel. People working there must be audited and supervised at all times.
  • In the case of a disaster, the cloud storage provider must ensure that no data is ever lost. Whether there’s a natural disaster or just a hard drive malfunctions it’s necessary that nothing is lost. That is achieved by having multiple data centres and multiple backups of a single file (redundancy system).

What Falls Under Your Responsibility As A Business Owner?

Uploading ePHI to the cloud storage comes with a few responsibilities. When things go out of control it’s important you won’t be the one standing there taking all the blame. Your business can in this case also be referred to as a covered entity.

  • You must sign a BAA (Business Associate Agreement) with the cloud storage provider. This document more or less puts all of the legal liability on the cloud storage provider and opens the cloud provider to revisions by the US federal government. The US federal government conducts audits and reviews of covered entities regularly. The document itself specifies all the terms, disclosures, and obligations of both parties.
  • You must ensure that all computers and devices that have access to PHI are protected from unauthorized access.
  • You must protect login credentials to the cloud storage provider to the best of your abilities (oversight over your employees).
  • You must employ policies that describe how employees should handle the PHI and make sure those policies are enforced.

HIPAA Compliant Cloud Storage Providers

Many cloud storage providers offer HIPAA compliance such as:

Having that golden certificate on their website is not enough though. Google Drive, for example, requires a number of steps from your side in order to make storing of PHI truly safe and HIPAA compliant. Feel free to check the best HIPAA compliant cloud storage article to find the best one that requires minimal effort.

Bonus: If you are looking for a fully-integrated Desktop-as-a-Service solution, V2 Cloud ensures the security of your data with technical safeguards, and data encryption. Their cloud computers respect the most specific network compliance, from HIPAA to PCI.

Dejan Miladinovic

My name is Dejan Miladinovic and hopefully, your go-to guy for all cloud service things considered. I've been extensively testing and researching the cloud service market for the past 4 years. Hopefully, you found the post written above useful and intuitive. I would be happy to discuss it more in the comments section.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *