Each of the vendors above has varying degrees of cloud storage HIPAA compliance protocols so you need to study their related agreements and policies.
Cloud storage HIPAA compliance requires some smart preparation and security work. The computing industry is moving to a cloud-centric model, and one of the significant trends is moving business data storage into the cloud. In many cases, cloud storage is more convenient, flexible, and cost-effective than maintaining your own physical hardware and storage resources – and the staff to manage them. But moving your data into cloud storage brings with it a new set of risks. Is the cloud storage used by your organization HIPAA compliant? Is it a secure storage location for PHI? Does your organization have a HIPAA Business Associate Agreement with the cloud storage provider? Are unauthorized, personal cloud storage accounts being used to transmit or store PHI?
With the right policies, configurations, and agreements in place, your organization may benefit from using cloud storage. Here are a couple of critical best practices to consider for cloud storage HIPAA compliance.
Personal Cloud Storage and IPAA Compliance
No matter what your organization is doing about business cloud storage, make sure that nobody is using a personal cloud storage account when PHI may be involved. At the very least, establish a policy prohibiting the use of personal cloud storage for any PHI or business use. Personal cloud storage accounts are free for employees to establish. Often, employees with good intentions may see them as a convenient way to accomplish some work while at home, without considering business risks or compliance issues. Consider also restricting access to personal cloud storage sites using firewall rules.
Sign a Business Associate Agreement with your Cloud Storage Provider
If your organization is thinking about taking advantage of cloud storage, or if you already do so, make sure that you select a cloud storage provider who is well equipped to handle your HIPAA compliance needs and will sign a HIPAA Business Associate Agreement. To help you, we’ve gathered a list of some of the most common cloud storage providers along with whether they offer BAAs to their customers that help you with cloud storage HIPAA compliance. Keep in mind – some of them don’t!
Amazon Web Service
Is a BAA available? Yes, a BAA is available for all AWS accounts.
How do you set up the BAA? Online
Further Reading: (1) HIPAA Compliance; (2) AWS HIPAA Compliance Whitepaper “Architecting for HIPAA Security and Compliance on Amazon Web Services”
Apple iCloud
Is a BAA available? No. Apple does not offer a BAA for iCloud, and the iCloud Terms and Conditions explicitly prohibit the use of iCloud to create, receive, maintain, or transmit PHI.
Further Reading: Apple iCloud Terms and Conditions, Section I, Paragraph C
Box for Business
Is a BAA available? Yes, Box signs BAA addendums to with its customers who have an Enterprise or Elite account and want to be HIPAA compliant.
How do you set up the BAA? Contact a sales representative.
Further Reading: Box HIPAA and HITECH Overview and FAQs
Citrix ShareFile
Is a BAA available? Yes, ShareFile offers a distinct ShareFile Cloud for Healthcare product which requires users to sign a BAA when signing up. The ShareFile Cloud for Healthcare is a dedicated, secure enclave within a private cloud where customers who use ShareFile to upload and share protected health information (PHI) have that data processed and stored. This private cloud is dedicated for only those customers in industries that process or store confidential information, such as healthcare, insurance and financial services.
How do you set up the BAA? Online, during signup for ShareFile Cloud for Healthcare
Further Reading: (1) ShareFile for Healthcare; (2) ShareFile Healthcare Cloud
Dropbox Business
Is a BAA available? Yes, a BAA is available for all Business accounts.
How do you set up the BAA? Online
Further Reading: (1) Dropbox Business and HIPAA / HITECH—an overview; (2) Getting started with HIPAA
Egnyte
Is a BAA available? Yes
How do you set up the BAA? Contact the Chief Security Officer
Further Reading: Egnyte HIPAA Business Associate Agreement
G Suite (Formerly Google Drive for Work)
Is a BAA available? Yes, a BAA is available for G Suite Basic, G Suite for Education, G Suite for Government, G Suite Business, and G Suite Enterprise.
How do you set up the BAA? Online
Further Reading: (1) HIPAA Compliance with G Suite; (2) HIPAA Compliance with G Suite: Opt in to the HIPAA Business Associate Amendment; (3) G Suite HIPAA Business Associate Amendment; (4) HIPAA Compliance with G Suite – G Suite HIPAA Implementation Guide
Microsoft
Is a BAA available? Yes, a HIPAA Business Associate Agreement is available via the Online Services Terms by default to all customers of Microsoft cloud services who are covered entities or business associates under HIPAA. Applies to most major Microsoft services, including: Azure, Office 365, SharePoint, OneDrive for Business, and Exchange.
How do you set up the BAA? It is automatically included in the terms of service by default for covered entities or business associates.
Further Reading: (1) HIPAA and the HITECH Act; (2) Microsoft HIPAA Business Associate Agreement
How do you ensure cloud storage HIPAA compliance? In short, establish a business associate agreement with an established cloud storage vendor who pays attention to the HIPAA requirements of healthcare providers and organizations. Prohibit employees from using personal cloud storage accounts for any business use. These two controls will go a long way toward keeping your organization HIPAA compliant and your patient and customer data safe while using cloud storage. You may also like to review our Eagle HIPAA Policy Templates in our download store.
