35

Which Cloud Storage Services are HIPAA Compliant?

hipaa compliantAs computer hard drives are getting overloaded with information, behavioral professionals are beginning to wonder which companies to trust with their client/patient information. Many data storage companies have developed robust services that clearly identify their status with regard to HIPAA compliance. This article then, is about several such companies, and a couple more who fail to pass muster.

While it is always possible to purchase an external hard drive to store your excess data, you may decide that cloud storage affords you many advantages, including the ability to access your data anywhere, anytime and from any device. Another big advantage to cloud storage with a proper service is their ability to help you protect your information from theft, corruption and inaccessibility. They should also offer you the legal protections of  Business Associate’s Agreements (BAA) to safeguard “Protected Health Information” (PHI) if you are a covered entity – and even if you are not.

See my earlier blog posts about many states requiring privacy and security of client an patient data beyond those needed by HIPAA. Related HIPAA rules also require a few other processes that have to do with your policies and practices and not just the standards needed for technology you might purchase. Read below.

Companies that Claim to Offer HIPAA Compliant Services

  • Amazon – Amazon S3 is not HIPAA compliant out of the box, but Amazon AWS  can be used to create HIPAA-compliant cloud storage. Amazon gives you dedicated servers and a BAA, but you have to configure it yourself. This white paper is available for directions on how to create HIPAA-compliant information processing systems in the Cloud. The paper focuses on the HIPAA sections: The Privacy Rule and The Security Rule, and how to encrypt and otherwise protect your data.
  • BackBlaze – This service allows you to store and protect then restore a single file, a folder or all your backed up files from a web browser for free. There is an option to have a 128 GB flash drive FedEx to you or an external drive up to 3 TB for an additional fee. You can also access your files with the iPhone app.  Here is their security page. Mac users will be happy to note that this software is accessible from Mac or IOs systems.
  • Box – This service claims to meet  the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling. They signs BAA addendums for customers who have an Enterprise or Elite account. As with some of the other services in this group, customers are responsible for configuring Box in a HIPAA compliant manner and for enforcing policies in their organizations to meet HIPAA compliance. Details of HIPAA and HITECH compliance are here.
  • Carbonite ProPlan – This service is available for businesses that need protection for unlimited computers and HIPAA Compliance.
  • CareCloud – Uses security data centers in multiple locations and protected by armed security personnel.  Having your data securely stored in multiple places eliminates the risk of catastrophic data loss due to natural disaster, theft or sabotage. See their security information here.
  • Crashplan – CrashPlan PRO boasts an easy-to-use desktop and uses 448-bit Blowfish encryption, one of the most robust encryption methods available. Files are encrypted before they leave your computer and then transferred to their servers using 128-bit Advanced Encryption Standard (AES) protocol.
  • Egnyte  – Egnyte’s “enterprise” product is for businesses seeking HIPAA compliance.  They are willing to sign a BAA.
  • Google Drive – As of September 2013, Google Apps for Business allows a domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. Being HIPAA-compliant isn’t as easy as opening any one of these accounts on any one of these services, but if your domain administrator can disable all other Google Services from the domain and make sure you keep appropriate password policies, etc, then Google Drive can be rendered HIPAA compliant for cloud storage.
  • Symform –  Focusing especially on backup and disaster recovery, Symform is another enterprise cloud storage service that is willing to sign a BAA and claims to be HIPAA compliant. They provide several links to several whitepapers on their site.

What about DropBox and iCloud?

  • iCloud – Apple refuses to sign a BAA, so your information is not protected or compliant with your requirement by HIPAA in iCloud. This service might be useful for storing
  • Dropbox – Dropbox is not HIPAA compliant. A close reading of HIPAA will show that it requires all aspects of a PHI file — even the name, which can potentially hold identifying information — be encrypted and private. Dropbox as a company has policies which render it non-compliant with HIPAA in a number of areas. For instance, DropBox keeps “metadata,” which includes the file name, rendering it insecure. HIPAA also requires audit controls, which DropBox does not offer.

What Else?

HIPAA also makes it clear that your obligations as a covered entity do not just stop at selecting an appropriate service. The HIPAA Omnibus Rule of January 2013 states that even with a signed BAA, the burden falls on you to secure your data, even when hosted at a HIPAA compliant cloud storage provider.  You also must be in compliance with any local, state requirements that supersede HIPAA. Several states have such requirements, including California, Texas and other “consumer protection” states in the US. Many non-US countries have comparable requirements.

These are the some of the processes that must be encrypted to standards defined by HIPAA in the US:

  • How you upload data into your storage server(s) must be encrypted to HIPAA standards.
  • While on the storage server, your data must be encrypted to HIPAA standards.
  • How you remove data from the cloud must be encrypted to HIPAA standards.
  • All data downloaded from the cloud must be encrypted to HIPAA standards.

How can you go wrong?

This is an area where what you don’t know can hurt you. HIPAA requires that you know what you are doing and that you conduct regular risk assessments. The Office for Civil Rights and the Office of the National Coordinator for Health IT have released a free tool to help you assess this risk. See our TMHI blog post about this risk assessment tool. Ignorance is not a defense.

Let’s say you store files on any one of the popular storage companies and arrange to receive email notification that your file has properly been transferred or stored. If you receive that notice in your non-encrypted email box, you have created a vulnerability. Those security vulnerabilities are how you can inadvertently create HIPAA violations.

As we teach in our Certificate training program, as the covered entity, you need to be in compliance with HIPAA on many fronts, including the services you buy, how you assess your risk, and the HIPAA policies you develop.

More Information?

To see more information about video-based services and their HIPAA compliance, see these other TMHI posts:

If you know of other cloud storage services for health care professionals, please list them below. You comments and questions are always invited.

Facebook
Twitter
LinkedIn
YouTube
Google+
RSS
Pinterest

Rate this post!

(9 raters, 45 scores, average: 5.00 out of 5)

35 comments on “Which Cloud Storage Services are HIPAA Compliant?

  1. Hello,
    Very nice post providing very usefull information about cloud storage and hipaa security system. I want to add one more name to your list as I found it very usefull for users http://strato-comp.com. They provide best services at best price.

    Thnks…..

  2. Finding a HIPPA Compliant Services that provides a security solutions that allows your organization to meet all your goals around HIPAA compliance is highly important and necessary. Ensuring that you are completely in compliance with HIPAA; I would suggest going with Logicworks’ cloud computing solutions. Logicworks (www.logicworks.net) provides a perfect complement for the range qualitative security and compliance concerns faced in the healthcare industry.

    • Tanya,

      We’ll look into your suggestion, but could you tell us what you found particularly useful with Logicworks?

      • Well there is a range of reason I find Logicworks Compliant Cloud Hosting useful. Personally, I like Logicworks for the security they provide, the fact it allows me to meet HIPPA Compliance, and for storing and sharing data. They have been around for many of years so they have the reliability and security I was looking for as well. When you check out Logicworks I am sure you will find them a great pick as well for HIPPA compliant cloud hosting (www.logicworks.net/technology/compliance/hipaa-compliant-hosting )

  3. Hi Marlene,

    Thanks for this informative article! I also wanted to call your attention to Sookasa (https://www.sookasa.com/), which enables HIPAA-compliant use of Dropbox. Sookasa preserves the native Dropbox interface, making it extremely easy to use, and encrypts data at the file-level, so sensitive PHI is protected on the cloud and on all connected devices. It’s even safe if, say, a physician wanted to download something to his device. Sookasa also has a number of other compliance features, such as user and device blocking, audit trails, and more.

    Thanks,
    Chelsea

    • Thank you for letting us know about this service. Its availability with DropBox certainly makes it worth investigating.

      • Any update on your thoughts about Sookasa? Need simple solution for about 8 users. Most of these users are out in the field and are not very computer literate, so need simple like dropbox integration.

  4. Hi Dr. Maheu,

    Thanks for the great resource. It’d be great if you could consider adding TrueVault to your list: https://www.truevault.com

    TrueVault is a HIPAA compliant API and cloud data store that makes HIPAA compliance easy for healthcare applications.

    Thank you!

  5. In addition, Microsoft Azure platform has been providing HIPAA BAA to its business associates. In terms of how you would form a BAA, just ask any sales representative at Azure to generate one. I asked Azure support people to do this for me and they were unable to help, but the sales side is very well trained to understand the BAA.

  6. FYI – Crashplan Pro is not HIPAA compliant. Their enterprise product–PROe–is. Different infrastructure, different pricing, different implementation on the clientside.

  7. The previous post by Scott brings an important point. It is very important that the component of HIPAA compliance is whether a BAA is in place among all the parties involved. Many services that advertise HIPAA, usually there is a caveat that unless you are an enterprise customer, they do not offer to enter into BAA, therefore if you are a small-time developer or a vendor, that can significantly limit your ability to claim the compliance to your own customers even if you are storing data on one of the services.

  8. ” Dropbox is not HIPAA compliant. A close reading of HIPAA will show that it requires all aspects of a PHI file — even the name, which can potentially hold identifying information — be encrypted and private. Dropbox as a company has policies which render it non-compliant with HIPAA in a number of areas. For instance, DropBox keeps “metadata,” which includes the file name, rendering it insecure. HIPAA also requires audit controls, which DropBox does not offer.”

    I can’t comment about Dropbox, but I don’t think this assertion about filenames is correct. I don’t think HIPAA holds any requirements over data that doesn’t contain PHI; ergo if you don’t store PHI (or a code or derivative bit of information that could reasonably lead back to the disclosure of PHI) in fields and locations like filenames, this wouldn’t be an issue.

    I leave open the possibility that I could be wrong about this, but I’ve been studying the OCR guidance and the relevant sections in CFR and haven’t yet seen this requirement. If I’m wrong, could you please point out the requirement with a citation to validate it?

  9. Hi Dr. Maheu,

    Great list of vendors, I know it’s tough to stay updated on a constantly changing market.

    Paubox (www.paubox.com) is another HIPAA compliant cloud storage and email encryption solution to add to the list. BAA’s are available with paid accounts.

    Thanks!

  10. update on crashplan – PROe is only crashplan product that is HIPAA compliant. Must pay one time $1000 set up fee. Then regardless of number of users/servers – must pay for 5 users $120each/year.

  11. File hosting allows them instant web access to the file, and
    team members can make edits and adjustments, then re-upload
    and notify everyone of the changes made. After
    having these all tools i hope you will bear the palm
    in the competition. The time zones may vary since this service can be from anywhere all over the world.

  12. Thank you for letting us know about this service. Its availability with DropBox certainly makes it worth investigating.

    • The problem is that Dropbox interacts with the data and will not sign a BAA. Sookasa and other encryption apps offer better protections for data, but this does not make keeping ePHI on a cloud server like DropBox HIPAA compliant.

  13. I would also like to add a provider to your list.Sync.com is a HIPAA compliant cloud storage provider that my company choose because they were willing to sign a BAA.

Leave a Reply

Name and email are required. Your email address will not be published.