As far back as July 2014, according to Forbes, 83% of healthcare organizations were already using cloud-based healthcare apps. Fast-forward to 2021, IT leaders are reporting that cloud-based software is used widely among medical researchers relying on the cloud to manage massive chunks of data at more than 100 terabytes. The healthcare cloud computing market is currently valued at nearly $18 billion and expected to grow by about 19% by 2025.
What Makes Cloud Computing Perfect for the Healthcare Industry?
Right out of the gate, healthcare professionals and IT executives will happily exalt cloud computing for its scalability, cost-efficiency, and flexibility. Following are a few additional reasons that healthcare leaders are relying on the cloud at an ever-accelerating rate:
- Continual Updates – With cloud hosting and cloud storage, updates are made centrally and distributed to users in a controlled fashion from the test site.
- Secure Exchange of Electronic Data – As doctors, medical centers, and healthcare systems across the U.S. rely more heavily on cloud apps and telehealth platforms, handling patient data in compliance with HIPAA regulations becomes simpler on the cloud.
- Low Cost to Entry – Healthcare organizations benefit from cheaper startup costs and save on purchasing and maintaining their own hardware and infrastructure.
- Option of Integrated Business Continuity – Physical security and disaster recovery become far less worrisome for IT professionals when everything is stored in the cloud.
- Savings on valuable resources like physical space and employee time.
HIPAA-Compliance for Cloud Storage Is Essential
Doctors and medical researchers may focus on entering, transmitting, and retrieving data, but IT professionals need to always think several steps ahead in terms of data security and compliance. Operating a medical practice requires selecting a hosting provider that understands HIPAA standards to ensure all healthcare information is kept secure and patient data remains confidential.
“May a HIPAA covered entity or business associate use a cloud service to store or process ePHI? Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules…. A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.” – “Guidance on HIPAA & Cloud Computing” published by HHS.
4 Best HIPAA-Compliant Cloud Storage Services in 2021
If your healthcare, or healthcare-related, organization is ready to adopt cloud storage, you may need some ideas on where to start. Our team has found the most trusted cloud storage services with a focus on HIPAA-compliance. They are relied on by industry leaders because they follow best practices when it comes to Business Associate Agreements (BAA), offer the most space for your fees, and who provide the best encryption:
Google Cloud Drive
Starting in 2013, Google began signing a BAAs covering Gmail, Google Drive, Google Calendar, and Google Vault, or “the G Suite.” With this savvy move, Google Cloud Drive is now HIPAA-compliant and receiving rave reviews from industry pros.
“G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied,” explains the HIPAA Journal.
Microsoft is at the forefront when it comes to supporting HIPAA-HITECH, offering BAAs for enterprise cloud services, signing agreements for mail, file storage, and calendars. Microsoft is renowned for offering some of the most effective security tools in the industry.
“Microsoft when it provides services, including cloud services, to covered entities, enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, Microsoft customers (covered entities) can use its services to process and store PHI,” explains Microsoft.
Amazon S3 gives you a quick guide on how to configure HIPAA-compliant cloud storage for Amazon Web Services (AWS) and offers to sign a BAA. It is the trusted CSP for some of the top brands in healthcare and the life sciences.
“In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule,” states AWS on its compliance page.
Box offers stellar encryption and security, is happy to sign a BAA, and actively markets to healthcare customers.
“The Box platform and associated products has been compliant with HIPAA, HITECH, and the final HIPAA Omnibus rule since November 2012. All PHI stored in Box is secured in accordance with HIPAA, and Box signs BAAs with all clients who plan to store PHI in the cloud. Box continuously updates products, policies, and procedures to ensure continuous HIPAA compliance,” according to Box for Healthcare.
Get your HIPAA Compliance Checklist here.
7 Questions to Ask Your HIPAA Hosting Provider
Hiring the wrong provider could lead to misuse, mishandling and theft of information as well as fines leveled against your company. Before hiring a hosting provider, here are 7 essential questions to ask to ensure they will be HIPAA compliant:
What Are Your HIPAA-Compliant Hosting Services and How Do They Differ from Standard Managed Services?
This question should be at the top of your list as you want to know how the hosting provider structures HIPAA-compliant services. You don’t want to hire a hosting provider that proposes standard managed cloud services for health-related businesses. When sensitive patient health information is involved, comprehensive HIPAA-compliant hosting services are required.
Can I See Evidence of Your HIPAA Compliance Measures?
The HIPAA hosting provider should be knowledgeable about current technologies and have certifications to ensure that the hosting services match their client’s compliance needs. If the hosting provider can’t provide any HIPAA audit attestations or compliance certifications that include HIPAA, this should be a deal breaker.
Do You Offer Your Clients a Business Association Agreement?
A business association agreement (BAA) provides a written agreement regarding the required use of health information, store it, and handle it once a contract ends. It also outlines what safeguards are in place to prevent a data breach. A BAA should also define the service agreement the hosting provider will have with your business.
If it does not offer an agreement, the agreement is confusing to read, or it does not provide a clear description of the services they provide, it’s an indication that the CSP is not ready to manage your data.
How Do You Ensure Regulatory Compliance?
There is currently no standard HIPAA compliance attestation. So, you will need to find out what types of audit reports they provide, such as SSAE 16 Type II, HITRUST CSF, NIST, or SOC 2 Type II. This will also provide information about how they will help with your annual auditing tasks, if they have a dedicated security staff, and whether they have (CISSP) certification.
Does the Cloud Hosting Provider Have an Incident Response Process?
The incident response describes how the CSP will handles any type of security breach or attack of their IT systems. It should outline the steps the hosting provider will take to discover a breach, identify the cause, and remediate potential damage. The incident response report should also establish a timeframe of how long it will take to recover from a data breach and how their systems function in case of an outage.
Have You Ever Experienced a Data Breach?
Pay close attention to how the hosting provider answers this question. It doesn’t have to be a deal breaker if the company has experienced a breach. What is important is how they recovered from it and the additional safeguards and processes that were put into place to prevent the incident from happening again.
Do You Have a Dedicated HIPAA Compliance Officer?
Covered entities and business associates are required to appoint a HIPAA compliance officer to oversee the implementation of privacy and security measures for PHI handled on the cloud. This role can be handled internally by your organization, but it can also be covered by the CSP. The appointed HCO must complete training and become certified. If the cloud service provider has a certified HCO, this is a good sign that it takes HIPAA compliance seriously.
Learn more. Webinar: “Cloud Security Basics”
Learn More About Staying HIPAA-HITECH Compliant in the Cloud
If you still have questions about the best cloud storage service providers and how to maintain solid HIPAA compliance, I.S. Partners, LLC. can help.