Organizations that deal with personal medical information need to ensure that this data is secure and protected. And it’s not just an ethical issue; clinics, hospitals, and other healthcare organizations are legally obligated by the Health Insurance Portability and Accountability Act (HIPAA) to store and share medical data and health records in a safe and compliant manner.
That’s why it’s critical to take a moment to confirm that the software they are using is HIPAA-compliant when these organizations are considering storing this personal data in the cloud.
In this post, we’ll explore the history of HIPAA, what it means to be HIPAA-compliant, and the best HIPAA-compliant cloud storage services available.
What is HIPAA?
According to the Centers for Disease Control, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Signed into law by President Bill Clinton in 1996, HIPAA modernized the flow of healthcare information while ensuring another level of protection from fraud and theft.
HIPAA protects information regarding:
- An individual’s past, present, or future physical or mental health
- The provision of health care to the individual
- Past, present or future payment for the provision of health care to the individual
- The identity of the individual, or data which there is a reasonable basis to believe could be used to identify the individual
Though the act was passed prior to cloud storage, it now extends to how this information is shared and stored digitally. HIPAA requires developing safeguards that protect data physically (use and positioning of workstations and mobile devices), technically (implementing activity logs and controls and access controls), and administratively (conducting risk assessments, implementing risk management policies, and restricting third-party access).
What does it mean for cloud storage software to be HIPAA-compliant?
There is no official HIPAA-compliant certification, which means it’s up to the organizations and the cloud service providers to ensure adherence to HIPAA. In order to do so, they must review HIPAA regulations and update periodically in accordance with the compliance goals.
To be HIPAA-compliant, a cloud storage provider must be willing to agree that it secures data transmitted to the cloud, stores this data securely, provides a system that allows for control of data access, and records a log of all activity.
What are the top HIPAA-compliant cloud storage services?
There are a number of well-known companies that provide cloud storage services that meet HIPAA regulations. These include:
- Google Drive and Google Workspace (formerly G Suite): Google Drive is easy to use and offers strong security options. Google offers a Business Associate Agreement (BAA) for Google Drive as well as Docs, Sheets, Google Calendar, Gmail, and more as an addendum to a standard user agreement that specifies how these products must be used.
- Microsoft OneDrive: Through its online service terms, Microsoft automatically provides a BAA for OneDrive for Business, Office 365, and other products.
- Dropbox Business: Dropbox Business is a popular cloud storage provider that can be configured to offer HIPAA-compliant cloud storage complete with two-step authentication, review and removal of linked devices, user access reviews, and user activity reports
- Box Enterprise and Elite: Box Enterprise and Elite accounts come standard with access monitoring, reporting, and audit trails and provides granular permissions.
- SpiderOak: Once installed, SpiderOak will run in the background on your computer and automatically backup all your files safely, securely, and compliantly.
Are standard cloud storage settings enough to secure HIPAA data?
Depending on the data your organization is entrusted to manage — and how that data is shared — you may need to add an additional layer of security to these services to ensure compliance. Some key questions to consider are:
- Does this cloud storage service encrypt data end-to-end, across its entire lifecycle?
- Can I manage my own encryption keys to ensure I maintain control over my data at all times?
- Does this service provide any security controls to safeguard data after it’s been shared?
- Does this service protect sensitive data both in transit and at rest?
Once you’ve picked a cloud storage service, it’s still critical to ensure that services are HIPAA compliant. In order to do so, organizations must properly configure settings, check third-party app access to the cloud, and ensure file security and privacy.
Seamless Security to Strengthen HIPAA Compliance in the Cloud
With Virtru, you can add a layer of encryption to your Google Workspace and Google Cloud storage platforms to support HIPAA compliance. Virtru also enables you to manage your own encryption keys, so that neither Google nor Virtru can access your data at any time. You retain full control of your data, while still giving your teams the ability to collaborate and share information efficiently.
Virtru is here to help you assess your data management strategy and support your compliance with HIPAA. Contact Virtru today to schedule a consultation with one of our data security experts.