How to make sure your cloud storage is secure and HIPAA compliant, including why you need a Business Associate Agreement (BAA) in place to protect your PHI
There can be no doubt that the cloud is taking off in healthcare in a big way. In fact, according to the latest market research report from Technavio, the global HIPAA compliant cloud data storage market is expected to grow by $25.54 billion between 2020 and 2024, accelerating at a CAGR of nearly 23%, with 40% of the growth coming from North America.
It’s hardly surprising.
The advantages of cloud computing are undeniable, allowing healthcare organizations to easily store and access data and utilize a multitude of business-enhancing apps and services from any location at any time.
However, while there is no doubt that the cloud makes things like file storage and sharing easy and convenient, there are a number of security issues and industry regulations that healthcare providers need to take into account before adopting a solution.
What is HIPAA Compliant Cloud Data Storage?
Indeed, when it comes to healthcare, providers can’t just select any old cloud storage service provider to handle their data storage needs. Specifically, you need Cloud Storage that complies with the Health Insurance Portability and Accountability Act – or HIPAA.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a law that states the ways in which health care providers, insurers, and employers interact with medical records. HIPAA also regulates how patient information is shared with others outside of the group. Often, this information will be stored electronically.
(Image source: businesswire.com)
The Cost of Non-Compliance
HIPAA violations can be costly.
Under the legislation, it is the responsibility of all healthcare practitioners to adequately secure the protected health information (PHI) of their patients and ensure the security of all electronic records. Failure to do so can lead to huge fines from the Department of Health and Human Services’ Office for Civil Rights (OCR) – up to $50,000 per violation and a maximum of $1.5 million for identical violations per year.
(Image source: compliancy-group.com)
In 2019 alone, the OCR collected $15.2 million in fines and settlements for HIPAA violations. While it’s true that the figure is likely to be lower this year as penalties are being temporarily waived in response to current events, this measure is non-permanent and normal service will resume in due course along with everything else.
This means that selecting a HIPAA-compliant cloud storage service provider is as important now as it’s ever been.
The reason is that HIPAA doesn’t just cover healthcare practitioners themselves, but their “business associates” as well.
Business associates are service providers that have access to the PHI of a “covered entity” (covered entities being healthcare providers, plans, and clearinghouses). This means that since cloud storage service providers handle and have access to any PHI data a HIPAA covered entity entrusts them with, cloud providers are classed as HIPAA business associates.
How to Make Sure You’re Covered by a HIPAA-Compliant Cloud Data Storage Provider
The long and the short of it is that, as a HIPAA covered entity, any cloud storage provider that you work with becomes a business associate if they store PHI on your behalf. Therefore, the service MUST be HIPAA-compliant.
Not every cloud storage (SERVICE) provider is HIPAA-compliant, however – and so it is up to you to ensure that you are not breaking the law and putting your business and your patients’ PHI at risk by selecting one that is.
Business Associate Agreements
The Department of Health & Human Services (HHS) stipulates that a HIPAA covered entity may use a cloud service provider (CSP) to store or process PHI, provided the entity “enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining or transmitting electronic protected health information (ePHI) on its behalf and otherwise complies with the HIPAA rules.”
Specifically, the BAA “contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule.”
HIPAA’s Security Rule covers administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of patients’ ePHI.
In practice, this means that both covered entities and their business associates must deploy safeguards such as data backup and recovery solutions (to be able to respond to a ransomware attack or other emergency situation), permission-based systems that limit access by unauthorized users, access monitoring tools and audit controls.
In addition, though HIPAA does not specify any specific methods or tools for how data should be stored in the cloud, encryption is encouraged, as it adds an extra security layer by rendering PHI unreadable and therefore unusable to unauthorized individuals.
Guidance from HHS states that data must be encrypted both at rest and in transit and that encryption processes that follow criteria set out by the National Institute of Standards and Technology (NIST) are judged to meet this standard.
A HIPAA-compliant cloud storage service provider will implement these safeguards – i.e, incorporate all the necessary tools, policies, encryption, procedures and controls – to ensure compliance with the Security Rule. Even so, a BAA must be obtained from the business associate before any HIPAA-covered data is uploaded to the cloud. In other words, any cloud storage service provider that is not prepared to sign a business associate agreement is out of bounds for HIPPA-compliant businesses.
Some popular cloud storage services, including Apple’s iCloud, will not sign BAAs with HIPPA covered entities and so should not be used.
Others, such as certain cloud storage solutions offered by Amazon Web Services (AWS), are not HIPPA-compliant by default. So, even though they can be configured to bring them up to standard, caution must be exercised.
It is absolutely imperative that you get a signed BAA from the provider and that they agree to implement the appropriate HIPAA-compliant controls and safeguards to secure any PHI data uploaded to the platform.
Safe, Secure Cloud Data Backup and Storage – UnisonBDR!
By far the best solution for all HIPAA-compliant businesses is to utilize the cloud storage services of a provider specialized in HIPAA compliance.
Central Data Storage (and UnisonBDR) is the provider you’ve been looking for.
What makes us stand out from the competition is that all of our products are HIPAA-compliant by design and have been purposefully built to help you meet all requirements mandated in the legislation. UnisonBDR is designed specifically for backup and recovery that gets your business back up and running within 24 hours after a disaster.
We have BAAs in place and are approved by third-party auditors as 100% compliant with HIPAA, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act, the EU’s General Data Protection Regulation (GDPR) and State Laws.
What’s more, our 448-bit end-to-end encryption exceeds military-grade standards to ensure your data remains (SECURELY) protected from outside threats, both in transit and at rest in our highly-secure private cloud.
With unlimited storage capacity, dual authentication, and ransomware recovery, UnisonBDR ensures that your data is always safe, fully protected and recoverable and that you can take full advantage of secure cloud storage while remaining in full compliance with HIPAA and other regulatory requirements.
Want to learn more about the benefits of our fully-supported cloud backup and recovery solution, UnisonBDR? Just call 1-888-907-1227 or email firstname.lastname@example.org