The HIPAA compliant cloud services checklist

Healthcare providers who embrace new technologies, such as the cloud, can leverage data and digital tools to deliver better health outcomes. But the rise in cloud services and cloud computing means the need for organizations to ensure all apps are HIPAA compliant.

Related: HIPAA compliant email: The definitive guide

Why it matters

The HIPAA Act considers something as simple as a name as protected health information (PHI). Given that healthcare workers spend a lot of time handling sensitive data, they must defend all PHI from unnecessary use and disclosure.

Here is a checklist to help you assess if your cloud services are HIPAA compliant.

HIPAA and the cloud

The Health Insurance Portability and Accountability Act (HIPAA) is U.S. legislation created to improve healthcare standards. Title II is most associated with the act and establishes PHI and ePHI (electronic PHI) privacy and security standards. The Privacy Rule sets the guidelines for using and disclosing patients' data. And the Security Rule sets the necessary administrative, technical, and physical safeguards to protect PHI/ePHI.

The HIPAA industry is vast, so we understand why healthcare organizations use cloud services for storage, infrastructure/hosting, and/or software and file sharing. Knowing what you need from your cloud (i.e., infrastructure-as-a-service, software-as-a-service, or platform-as-a-service) will tell you what cloud tool to pursue. The cloud offers users more flexibility and convenience but also increases an organization's attack surface.

That is why it is vital to protect a patient's confidentiality in the cloud. Many cloud tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls. And not all will provide HIPAA assurance through a signed business associate agreement (BAA).

Which cloud tools companies will sign a BAA?

A business associate is a person or entity that performs certain functions or activities that involve PHI. A cloud company would fall into this category, which means that it must sign a BAA. The Privacy Rule allows healthcare providers to disclose PHI if a business associate guarantees it is protected through a BAA.

Related: When should you ask for a business associates agreement?

We've researched the cloud ecosystem to see which companies will sign a BAA and, therefore, may be HIPAA compliant. Cloud companies that will sign (or appear to sign) include:

• Amazon Web Services – infrastructure (many services, see the list here)
• Backblaze – storage
• Box Enterprise and Elite plans – management system
• Dropbox Business – storage, file sharing
• Egnyte Connect – file sharing
• Google Cloud (many services, see list here) – storage, file sharing
• Microsoft OneDrive – storage, file sharing
• Salesforce Health Cloud – file sharing
• Sync.com – storage, file sharing

And we know that Apple and iCloud won't sign a BAA. The list of cloud companies is extensive, and it is ultimately up to every healthcare organization to ensure HIPAA compliance.

The HIPAA compliant cloud security checklist

Cloud technology needs strong protections, given its numerous access points. Moreover, not all are appropriately configured out of the box. Use this checklist to ensure your chosen cloud tools keep you HIPAA compliant.

• Check our list above and ensure your cloud company will sign a BAA, then get the agreement signed.
• Ensure you and the business associate prioritize security controls customized to meet your needs.
• Properly configure your cloud settings to ensure correctly employed cybersecurity. Employ defensive and offensive strategies to block breaches.
• Use the principle of least privilege to classify data into three levels: restricted, internal, and public.
• Block third-party app access where needed using your classification system. Check and recheck file-sharing permissions.
• Obtain written consent from patients to use and disclose any PHI.
• Limit access to authorized staff.
• Train staff in compliance and cybersecurity so they can properly utilize cloud tools and understand the responsibilities, regulations, policies, and procedures.
• Keep log audits and monitor activity to ensure file privacy where needed.
• Develop a breach notification plan for possible inadvertent or deliberate breaches.

And as always, stay on top of changes to HIPAA and other state/federal regulations.

Read more:  Understanding medical record retention requirements by state

Technology use that is smart, safe, and HIPAA compliant

Nowadays, healthcare providers embrace new technologies that leverage data and digital tools to deliver strong patient care. The increase in cloud computing demonstrates just how far healthcare organizations have recently come.

One thing that cannot be forgotten while healthcare access to digital technologies grows is the HIPAA Act. Penalties for breaches can be significant, ranging from $100 to $50,000 per violation. For example, the 2015 Anthem, Inc. breach cost $16 million in HIPAA violations and $115 million from a class-action lawsuit.

But the costs don't stop there. A deliberate or accidental breach could lead to ransom payments, downtime, and angry patients. Avoiding a breach means avoiding such costs and continuing to properly treat patients. Transitioning to a cloud service can be a daunting but worthwhile task. You can ensure safe and happy patients by using a HIPAA compliant checklist like the one above.