Maintaining compliance can be a difficult task. Modern information technology (IT) environments have become more diverse and complex. Hybrid cloud solutions are becoming increasingly popular, further complicating compliance efforts. Companies often have infrastructure components spread among different cloud providers and on-premises data centers.
Another issue that affects some smaller healthcare providers is the lack of a dedicated IT staff that can focus on implanting the protections required to meet HIPAA guidelines. A small doctor’s office needs to remain HIPAA compliant but may not have the resources available to make that happen. That is not a valid excuse to offer auditors or investigators in the wake of a data breach involving PHI.
Fortunately, there are cloud solutions designed to help small and large organizations comply with HIPAA data protection regulations.
HIPAA Compliant Cloud Solutions
The HIPAA security rule mandates that all covered entities conduct a risk assessment of their organization, including cloud deployments, to verify that they are compliant with HIPAA’s administrative, physical, and technical safeguards. While HIPAA does not demand the use of encryption, it is the most effective method of protecting PHI when at rest or during transmission. Providing end-to-end encryption, full disc encryption, and creating encrypted backups are some of the techniques used by cloud providers to protect PHI.
Cloud vendors who are confident in their HIPAA compliance standing should be willing to sign a business associate agreement (BAA). Providers who are reluctant to sign this type of agreement should not be counted on to furnish the required data safety and privacy safeguards. Their claims of HIPAA-compliant systems may just be marketing doublespeak, leaving the customer in a perilous position regarding compliance. Providers should also be willing to show prospective clients HIPAA certifications and audit assessments.
Following are some of the third-party cloud providers that offer HIPAA-compliant storage systems and services. These companies are all willing to sign a BAA and share responsibility for HIPAA compliance with the customer, known as the covered entity (CE).
- Amazon Web Services has HIPAA-compliant offerings that help healthcare industries process, store, and transmit PHI.
- Microsoft offers multiple services in scope for HIPAA BAA coverage. They include Azure, Azure DevOps, Office 365, and Power BI.
- Google Cloud Services ensures that services covered under their BAA meet HIPAA requirements. These include a wide array of offerings on the Google Cloud Platform (GCP), Google Workspace, and secure communication solutions.
- Dropbox Business can be configured to provide HIPAA-compliant cloud storage. Other features include two-factor authentication and administrative controls including user activity reports.
- Box offers accounts that can share data securely with a direct messaging protocol and enables audit trail functionality for users and content. The platform enables secure remote viewing of medical records.
When working with cloud providers, it is essential to understand that the covered entity is responsible for ensuring systems are configured and used appropriately to remain HIPAA compliant. It’s the confidentiality of the CE’s patients’ data that is put at risk through customer misuse.