Finding HIPAA compliant cloud storage for your Behavioral Health practice can be a challenge–especially because finding a clear answer about HIPAA requirements can be confusing.
Understanding HIPAA Compliance
HIPAA regulation divides health care organizations into two categories: covered entities and business associates.
Covered entities are organizations such as health care providers, insurance companies, and health care clearinghouses. Covered entities must address the full extent of HIPAA compliance with a robust compliance program to keep protected health data (PHI) private and secure.
Business associates are any organization that’s been hired to handle PHI over the course of work they do for a covered entity. There are many different kinds of BAs that run the gambit from EHR providers to medical billing companies. The rule of thumb to remember is that if you share PHI with a vendor, they must be HIPAA compliant.
HIPAA Compliant Cloud Storage
Because cloud storage providers have the potential to handle PHI, they are considered business associates by HIPAA regulation.
That means that if you have a cloud storage provider that you use to house any materials that contain patients’ names, dates of birth, insurance information, addresses, medical records, or any other piece of PHI, you must find a vendor that’s HIPAA compliant.
If you do business with a cloud storage vendor that isn’t HIPAA compliant you could be putting your behavioral health practice at risk in the event of a data breach.
If you’re looking into how to find a HIPAA compliant cloud storage provider, keep these questions in mind:
- Does the provider use end-to-end encryption? End-to-end encryption is a security measure that ensures only the intended user can access the data in question.
- Does the provider’s service have user and access controls? User and access controls are a HIPAA-mandated security measure that allow you to track who has accessed your data, and set rules for how, when, and where that data can be accessed by authorized staff.
- Does the system have automatic back-up? In the event of a ransomware incident or malware attack, your cloud storage provider should have a means of restoring access to files. Automatic back-up should be built-in to the service you choose.
Business Associate Agreements
Once you find a HIPAA compliant cloud storage vendor, you need to make sure that you execute a Business Associate Agreement with them as a part of your HIPAA compliance program.
Remember that you must execute your BAAs before you share any health care data. This is as much to protect your patients, as it is to protect your practice–and it’s mandated by HIPAA regulation.
A proper Business Associate Agreement protects your organization from liability in the event of a breach that originated with the vendor. This should always be the first step you take when beginning a new business relationship with vendors who handle PHI in any way–including cloud storage providers.