Have you heard the horror stories? A celebrity’s personal pictures are stolen from the cloud and distributed online. A Fortune 500 company’s cloud storage is hacked and data from thousands of customers sold.
While some industries may just get a slap on the wrist for this type of breach, in healthcare the stakes are much higher. HIPAA violations cost a lot of money, and the damage a hacker can do with patient information is incalculable.
If your organization is HIPAA compliant, you don’t just need to keep your cloud data safe. It has to be HIPAA safe. What does that mean?
The laws that affect HIPAA-compliant cloud storage
The Health Information Technology for Economic and Clinical Health Act (HITECH) clarified how healthcare providers need to secure electronic protected health information (PHI). This law also ensures that regulations stay current with quickly advancing technologies like cloud storage.
HITECH states that healthcare providers aren’t the only ones who need to stay compliant. In fact, any storage services and apps you use have to meet HIPAA security guidelines as well.
According to the law, your cloud storage service has to provide you with a business associate agreement (BAA) stating that they’re HIPAA compliant.
Not every cloud storage service is up to the challenge. As a rule, a HITECH-compliant cloud storage service has to provide you with
- A permission-based system that limits access by unauthorized users
- Access monitoring
- Audit trails
- Strong data encryption during data upload, download, and storage
- Administrative controls
- Third-party integrations for HIPAA-compliant apps
While the HIPAA-compliant cloud storage service is responsible for providing these tools, it’s still up to you as a healthcare provider to set up these tools and use them properly. To make your decision easier, let’s look at five of the best HIPAA-compliant cloud storage services.
HIPAA-Compliant Cloud Storage Solutions
Dropbox is a mainstay of the cloud storage industry. But you can’t just sign up for a standard Dropbox account and start transferring PHI. You need a business account to get HIPAA-compliant storage through Dropbox.
Dropbox’s business service is HITECH and HIPAA compliant. It will cost your practice a nominal $12.50 a month for five users. Dropbox offers what they refer to as a “robust ecosystem” of third-party apps that you can integrate directly into your HIPAA-compliant cloud storage to enhance functionality and efficiency. JotForm’s HIPAA-compliant form-building service can be fully integrated into your Dropbox account.
When choosing third-party apps, you’ll need to evaluate each app’s compliance. Third-party apps aren’t included in your BAA and some may not be safe to use. So check first.
As a bonus, Dropbox also offers unlimited data storage and document recovery services.
2. Google Drive
To use Google Drive as your HIPAA-compliant cloud storage solution, first, you have to request a BAA from the company under your G Suite account. This BAA will cover many common Google Cloud programs like Docs, Sheets, and Slides. But it will exclude some applications that haven’t been deemed HIPAA compliant.
With Google Drive, you’ll have full control over audits and tier permission structures to help you protect PHI.
You’ll pay $5 for one user for the 30 GB plan. This tier will allow you to store quite a bit of data. If you outgrow the 30 GB plan, you can always upgrade to unlimited storage for $10 per user per month.
3. Microsoft OneDrive
If you have enterprise cloud services through OneDrive, you can request a BAA. Microsoft also offers a few tiers of security — the most expensive costs $35 per month. This tier lets you benefit from state-of-the-art security solutions and easily integrates with organizations that already use Microsoft’s full suite of products.
“Way back” in 2005, before most people had heard of the cloud, Carbonite was offering small businesses and individuals a safe way to store files online. Today more than 1.5 million customers use their cloud services. Carbonite offers off-site backup and additional disaster recovery services that truly set it apart. Carbonite also has very strict safety protocols.
Instead of paying a monthly fee per user, you’ll pay for an annual plan for your organization. Plans start at $269.99 per year and can cost $1,299.99 per year for large organizations.
Box is a lesser-known HIPAA-compliant cloud storage service that’s positioned itself as the right solution for healthcare providers. It offers access monitoring and audit trails so that you can verify what data was accessed, when it was accessed, and who accessed it.
Like other cloud storage services, Box integrates with Salesforce, JotForm, Google, and other useful applications for a seamless user experience across platforms without jeopardizing PHI security. As an added benefit, you can easily and securely view DICOM files (such as x-rays, ultrasounds, and CTs).
Keeping your cloud storage HIPAA compliant
By choosing a reputable cloud storage provider, checking the permissions of your third-party apps, and making good use of audit trails, you can ensure that your cloud storage doesn’t conflict with HIPAA compliance standards.