A Guide to HIPAA Compliant Cloud Backup Services

The advantages and disadvantage of using A HIPAA Compliant Cloud Storage Service vs a general IT Service Provider

The amount of patient health data and electronic protected health information (ePHI) healthcare organizations have on file is increasing exponentially – HIPAA compliant cloud data backup and storage is the only option to keep it safe and protected. 

The average patient generates about 80 megabytes of data each year and researchers find that the volume of data in healthcare grows faster than in any other sector.

In all, projections indicate that there could be as much as 2,314 exabytes of new healthcare data generated in 2020 – compared to just 153 exabytes in 2013.

Total amount of healthcare data generated in 2013 and a projection for 2020

(Total amount of healthcare data generated in 2013 and a projection for 2020 (in exabytes). Image source: statista.com)

With fast-growing data storage needs, healthcare organizations must turn to cloud computing to take advantage of its scalability, cost-efficiency and flexibility. 

However, while the cloud makes file storage and file sharing simple and convenient, there are data security risks to consider and HIPAA compliance to think about. 

As such, it is essential that healthcare organizations select a HIPAA compliant cloud storage service when implementing a cloud solution.

Failure to do so puts the organization in breach of the HIPAA Privacy Rules and Security Rules, making it liable for huge fines from regulators.

Why You Need HIPAA Compliant Cloud Data Backup & Storage

Plenty of IT service providers offer cloud storage – but not all are up to the task of meeting HIPAA regulations. 

HIPAA is designed to protect the privacy of sensitive patient information. 

Combined, the HIPAA Privacy, Security and Breach Notification Rules (known collectively as the HIPAA Rules) establish protections for protected health information. 

Importantly, not only do healthcare organizations (known as HIPAA covered entities) have to stay compliant with HIPAA – any cloud storage services and apps those organizations use have to meet HIPAA guidelines as well. 

Under HIPAA, providers of these services and apps are known as business associates – and business associates must comply with the HIPAA Rules under the legislation. 

In the words of The Department of Health and Human Services’ Office of Civil Rights Management (OCR), the body responsible for HIPAA enforcement, “When a covered entity engages the services of a CSP [cloud service provider] to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI) on its behalf, the CSP is a business associate under HIPAA.”

As a result, the OCR continues, “the covered entity and the CSP must enter into a HIPAA-compliant business associate agreement (BAA) and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules."

Do You Need a Business Associate Agreement with Cloud Storage? 

Put simply, a BAA is written contract between a covered entity and a business associate that outlines each party’s responsibility for safeguarding protected health information in line with HIPAA requirements. 

HIPAA Rules protect not only the privacy of health data, but also its integrity and accessibility. As such, the cloud storage services provided by a CSP must offer technical, administrative and physical safeguards to protect patient ePHI. 

In particular, the CSP must provide you with strong data encryption during data upload, download and storage, access control and monitoring, multi-factor authentication to limit access to authorized users only, audit trails and administrative controls. 

The BAA will outline precisely what these services and controls look like. It will establish:

  • how the business associate is allowed to use, process and store PHI data
  • a guarantee that the business associate will not use ePHI outside of these parameters
  • the appropriate use of technical, administrative and physical safeguards to protect sensitive health data.

As the OCR explains, “The BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate. 

The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule.”

Choosing the Right Cloud Storage Provider

Healthcare organizations have two main types of cloud storage provider to consider – a generalist who supports HIPAA and HIPAA specialists. 

While it is possible to use generalist providers – such as Dropbox, Amazon Web Services, or Google Drive – they do not offer HIPAA-compliant solutions and services by design. 

These providers will sign a BAA, however, it remains up to the healthcare organization itself to architect the solution for HIPAA compliance – i.e. configure sharing permissions and multi-factor authentication and regularly monitor user accounts and devices to ensure unauthorized individuals are not accessing ePHI. 

Importantly it must be noted that certain popular cloud storage service providers – including Apple and WeTransfer – will not sign a BAA with covered entities and so must be completely avoided. 

The most sensible solution is to utilize the services of a HIPAA compliant cloud storage specialist. 

At Central Data Storage, we don’t just offer software, storage and backup, but full, round-the-clock service, data storage support and ongoing guidance on best practices for HIPAA compliance with UnisonBDR.

More than just being a HIPAA compliant cloud storage provider, we pride ourselves on developing true partnerships with the businesses we work with. 

We help our clients develop policies, procedures, training programs and disaster recovery plans to ensure their whole business is in full compliance with HIPAA, while our beyond-military-grade cloud storage and file sharing solutions keep your data safe and secure, no matter what. 

Talk to us here at Central Data Storage to access a trial of UnisonBDR. Call 1-888-907-1227 or email info@centraldatastorage.com.  


January 26, 2021


Category title

Ready to start protecting your digital assets?