Hospitals, clinics, and other health organizations have had a bumpy road towards cloud adoption over the past few years. The implied security risks of using the public cloud or working with a third-party service provider considerably delayed cloud adoption in the healthcare industry.

Even today, when 84% of healthcare organizations use cloud services, the question of choosing the right HIPAA compliant cloud provider can be a headache.

All healthcare providers whose clients’ data is stored in the U.S. are a subject to a set of  regulations known as HIPAA compliance

Today, any organization that handles confidential patient data needs abide by HIPAA storage requirements.

What is HIPAA Compliance?

HIPAA standards provide protection of health data. Any vendor working with a healthcare organization or business handling health files must abide by the HIPAA privacy rules. There are also many ancillary industries that must adhere to the guidelines if they have access to medical and patient data. This is where HIPPA Compliant cloud storage plays a significant role.

In 1996, “the U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.” The Privacy Rule addresses patients’ “electronic protected health information” and how organizations, or “HIPAA covered entities” subject to the Privacy Rules must comply.

Most healthcare institutions use some form of electronic devices to provide medical care. This means that information no longer resides on a paper chart, but on a computer or in the cloud. Unlike general businesses or most commercial entities, healthcare institutions are legally obliged to employ the most reliable data backup practices.

So, how does this affect their choice of a cloud provider?

When planning their move to cloud computing, health care institutions need to ensure their vendor meets specific security criteria.

These criteria translate into requirements and thresholds that a company must meet and maintain to become HIPAA-ready. These come down to a set of certifications, SOC auditing and reporting, encryption levels, and physical security features.

HIPAA cloud storage solutions should work to make becoming compliant simple and straightforward. This way, healthcare organizations have one less thing to worry about and can focus on improving their critical processes.

storage requirements for Hipaa compliance

 HIPAA Cloud Storage and Data Backup Requirements

A cloud service provider doing business with a company operating under the HIPAA-HITECH act rules is considered a business associate. As such, it must show that it within cloud compliance standards and follows any relevant standards. Although the vendor does not directly handle patient information, it does receive, manage, and store Protected Health Information (PHI). This fact alone makes them responsible for protecting it according to HIPAA-HITECH act guidelines.

Being HIPAA compliant means implementing all of the rules and regulations that the Act proposes. Any vendor offering services that are subject to the act must provide documentation as proof of their conformity. This documentation needs to be sent not only to their clients but also to the Office for Civil Rights (OCR). The OCR is a sub-agency of the U.S. Department of Education, which promotes equal access to healthcare and human services programs.

Healthcare industry organizations looking to work with a HIPAA Compliant cloud storage provider should request proof of compliance to protect themselves. If the provider follows all standards, it should have no qualms about sharing the appropriate documentation with you.

HIPAA requirements for cloud hosting organizations are the same as the requirements for business associates. They fall into three distinct categories: administrative, physical, and technical safeguards.

  • Administrative Safeguards: These types of safeguards are transparent policies that outline how the business will comply from an operational standpoint. The operations can include managing security risk assessments, appropriate procedures, disaster and emergency response, and managing passwords.
  • Physical Safeguard: Physical safeguards are usually systems that are in place to protect customer data. They might include proper storage, data backup, and appropriate disposal of media at a data center. Important security precautions for facilities where hardware or software storage devices reside are also a part of this category.
  • Technical Safeguards: This group of safeguards refers to technical features implemented to minimize data risk and maximize protection. Requiring unique login information, auto-logoff policies, and authentication for PHI access are just some of the technical safeguards that should be in place.
Medical Record storage in the cloud

What Makes a HIPAA Certified Cloud Provider Compliant?

Providing HIPAA compliant file storage hardware or software is not as simple as flipping a switch. It takes a tremendous amount of time and effort for a company to become compliant.

The critical element to look for in a HIPAA certified cloud storage provider is its willingness to make a Business Associate Agreement. Known as a BAA, this agreement is completed between two parties planning to transmit, process, or receive PHI. Its primary purpose is to protect both parties from any legal repercussions resulting in the misuse of protected health information.

A Business Associate Agreement BAA must not add, subtract, or contradict the overall standards of the HIPAA. However, if both parties agree, supplementing specific terminology is acceptable. There are also some core terms that make up the groundwork for a compliant business associate agreement and must remain for the contract to be considered legally binding.

The level of encryption enabled by the cloud provider needs proper attention. The company should be encrypting files not only in transit but also at rest. Advanced Encryption Standard (AES) is the minimum level of encryption that it should use for file storage and sharing. AES is a successor to Data Encryption Standard (DES) and was developed by the National Institute of Standards and Technology (NIST) in 1997. It is an advanced encryption algorithm that offers improved defense against different security incidents.

man working on a mobile device at work

Selecting a Compliant Cloud Storage Vendor

When choosing a HIPAA compliant provider, look for HIPAA web Hosting that meets the measures outlined in the previous section. Make sure you ask them about their data storage security practices to how secure your PHI data will be.

Does the potential vendor offer a service level agreement?

An SLA contract indicates guaranteed response times to threats, typically within a twenty-four-hour window. As a company that transmits PHI, you need to know how quickly the provider can notify you in the event of an incident. The faster you receive a breach notification, the more efficiently you can respond.

Don’t forget that the storage of electronic cloud-based medical records should be in a secure data center.

What are the security measures in place in case of an incident? How is access to the facility determined? Ask for a detailed outline of how they implement and enforce physical security. Check how they respond in the event of a data breach. Make sure you get all the relevant details before you bring your data to risk.

Your selected vendor should also have a Disaster Recovery and Continuity Plan in place.

A continuity plan will anticipate loss due to natural disasters, data breaches, and other unforeseen incidents. It will also provide the necessary processes and procedures if or when such events occur. Concerning data loss prevention best practices, it is also essential to determine how often the proposed method undergoes rigorous testing.

Healthcare Medical Records Security – How can I be Sure?

Cloud providers that take compliance seriously will ensure their certifications are current. There are several ways to check if they follow standards and relevant regulations.

One way is to audit your potential provider using an independent party. Auditing will bring any possible risks to your attention and reveal the vendor’s security tactics. Cloud storage for medical records providers must regularly audit their systems and environments for securing threats to remain compliant. The term ‘regularly’ is not defined by the act, so it is essential to request documentation and information on at least a quarterly basis. You should also ensure you have constant access to reports and documentation detailing the most recent audit.

Another way to determine whether the company is compliant is to assess the qualifications of its employees. All staff needs to be educated on the most current standards and get familiarized with specific safeguards. Only with these in place organizations can achieve compliance.

Ask your potential vendor tough questions. Anyone with access to PHI needs appropriate training on secure data transmission methods. Training needs to include the ability to securely encrypt patient information no matter where they are stored.

A HIPAA compliant company will not ask you for a backdoor to access your data or permission to bypass your access management protocols. Such vendors recognize the risk of requiring additional authentication or access points. Compromising access to authentication protocols and password requirements is a serious violation and should never happen.

a secure cloud for storing data

Cloud Backup & Storage Frequently Asked Questions

Ask potential cloud vendors which method they use to evaluate your HIPAA compliance.

Is a HIPAA policy template available for use? Does the provider offer guidance and feedback on compliance? How are they ensuring that you are up to date and aware of security rules and regulations? Do they offer HIPAA compliant email?

Does the company have full-time employees on-premise?

Having a presence on site and available around the clock is a mechanism to ensure advanced security. An available representative makes PHI security more reliable and guarantees a quick response if needed. It also gives you peace of mind knowing that the company in charge of your data protection is thoroughly versed in the required standards.

The right provider should also be quick to adapt to the changes and inform you of anything that directly affects your PHI or your access to it.

Data deletion is a crucial component in choosing the appropriate HIPAA business associate. How long is the information kept for a period before being purged? How is data leakage prevented when servers are taken out of commission or erased? Is the data provided to you before deletion? The act offers no guidelines concerning the required length of time, but it is an agreement you and your provider must reach together.

In addition to your knowledge, determine how well your potential provider is versed in HIPAA regulations. Cloud companies often fail to follow the latest regulation changes, and you have to look for the one with consistent dedication.

Shop around. Do not be content with the first quote.

Many companies tout their HIPAA security, only to discover that they fall short of the measuring stick. Do your research, ask questions, and determine which vendor best suits your needs.

Learn about the ransomware stats in healthcare and what can be done about it.

HIPAA-Compliant  Cloud Storage is Critical

When it comes to protecting medical records in the cloud, phoenixNAP will support your efforts with the highest service quality, security, and dependability.

We provide a selection of data centers which offer state-of-the-art protection for your medical files. With scalable cloud solutions, a 100% uptime guarantee, and unmatched disaster recovery, you can rest assured that your infrastructure is compliant.

HIPAA certifications can be confusing, complicated, and stressful.

You need to be able to trust your cloud provider to keep your files safe. PhoenixNap Global IT Services will allow you the freedom to focus your attention on other areas of your business and ensure the protection of your entities and business associates.