Have you heard the horror stories? A celebrity’s personal pictures are stolen from the cloud and distributed online. A Fortune 500 company’s cloud storage is hacked and data from thousands of customers sold.
While some industries may just get a slap on the wrist for this type of breach, in healthcare the stakes are much higher. HIPAA violations cost a lot of money, and the damage a hacker can do with patient information is incalculable.
If your organization is HIPAA compliant, you don’t just need to keep your cloud data safe. It has to be HIPAA safe. What does that mean?
The Health Information Technology for Economic and Clinical Health Act (HITECH) clarified how healthcare providers need to secure electronic protected health information (PHI). This law also ensures that regulations stay current with quickly advancing technologies like cloud storage.
HITECH states that healthcare providers aren’t the only ones who need to stay compliant. In fact, any storage services and apps you use have to meet HIPAA security guidelines as well.
According to the law, your cloud storage service has to provide you with a business associate agreement (BAA) stating that they’re HIPAA compliant.
Not every cloud storage service is up to the challenge. As a rule, a HITECH-compliant cloud storage service has to provide you with
- A permission-based system that limits access by unauthorized users
- Access monitoring
- Audit trails
- Strong data encryption during data upload, download, and storage
- Administrative controls
- Third-party integrations for HIPAA-compliant apps
While the HIPAA-compliant cloud storage service is responsible for providing these tools, it’s still up to you as a healthcare provider to set up these tools and use them properly. To make your decision easier, let’s look at seven of the best HIPAA-compliant cloud storage services.
10 of the top HIPAA-compliant cloud storage solutions
HIPAA-Compliant Cloud Storage Solutions
Dropbox is a mainstay of the cloud storage industry. But you can’t just sign up for a standard Dropbox account and start transferring PHI. You need a business account to get HIPAA-compliant storage through Dropbox.
Dropbox’s business service is HITECH and HIPAA compliant. It will cost your practice a nominal $12.50 a month for five users. Dropbox offers what they refer to as a “robust ecosystem” of third-party apps that you can integrate directly into your HIPAA-compliant cloud storage to enhance functionality and efficiency. Jotform’s HIPAA-compliant form-building service can be fully integrated into your Dropbox account.
When choosing third-party apps, you’ll need to evaluate each app’s compliance. Third-party apps aren’t included in your BAA and some may not be safe to use. So check first.
As a bonus, Dropbox also offers unlimited data storage and document recovery services.
2. Google Drive
To use Google Drive as your HIPAA-compliant cloud storage solution, first, you have to request a BAA from the company under your G Suite account. This BAA will cover many common Google Cloud programs like Docs, Sheets, and Slides. But it will exclude some applications that haven’t been deemed HIPAA compliant.
With Google Drive, you’ll have full control over audits and tier permission structures to help you protect PHI.
You’ll pay $5 for one user for the 30 GB plan. This tier will allow you to store quite a bit of data. If you outgrow the 30 GB plan, you can always upgrade to unlimited storage for $10 per user per month.
3. Microsoft OneDrive
If you have enterprise cloud services through OneDrive, you can request a BAA. Microsoft also offers a few tiers of security — the most expensive costs $35 per month. This tier lets you benefit from state-of-the-art security solutions and easily integrates with organizations that already use Microsoft’s full suite of products.
“Way back” in 2005, before most people had heard of the cloud, Carbonite was offering small businesses and individuals a safe way to store files online. Today more than 1.5 million customers use their cloud services. Carbonite offers off-site backup and additional disaster recovery services that truly set it apart. Carbonite also has very strict safety protocols.
Instead of paying a monthly fee per user, you’ll pay for an annual plan for your organization. Plans start at $269.99 per year and can cost $1,299.99 per year for large organizations.
Box is a lesser-known HIPAA-compliant cloud storage service that’s positioned itself as the right solution for healthcare providers. It offers access monitoring and audit trails so that you can verify what data was accessed, when it was accessed, and who accessed it.
Like other cloud storage services, Box integrates with Salesforce, Jotform, Google, and other useful applications for a seamless user experience across platforms without jeopardizing PHI security. As an added benefit, you can easily and securely view DICOM files (such as x-rays, ultrasounds, and CTs).
SpiderOak protects against a wide range of cyber attacks. Standing out among its competitors with its “No Knowledge” policy, even SpiderOak’s staff doesn’t know what’s in your data. In order to provide the highest level of security, SpiderOak One Backup stores all data in encrypted form. The data is encrypted on your device before going to cloud storage. SpiderOak will provide a BAA upon request.
A free 21-day trial is available for One Backup. Paid plans have four tiers depending on the storage size. The lowest tier costs $6 per month for 150 GB of storage, whereas the 5 TB plan costs $29 per month. The price drops if you purchase the product for at least a year.
As a tech colossus, Amazon offers a great deal of credibility and sophistication in the cloud storage business. Amazon Web Services (AWS) provides data storage and transfer through secure and durable networks. You can store and back up your medical data with different AWS products depending on the type of data.
AWS provides guidance on how to manage and configure HIPAA-compliant cloud storage, which can be helpful for beginners. You can encrypt your patient health information (PHI) on both ends — the client side and the server side. Amazon will also sign a BAA with your healthcare organization.
With its flexible payment plan, AWS provides pay-as-you-go services. You don’t need to commit to a long-term contract. Pricing varies depending on tier, region, and storage size.
Acronis is an award-winning data storage and protection solution that uses automated, AI-based anti-malware tech to ensure client security. Acronis offers the following HIPAA-compliant cloud storage solutions:
- Acronis Cyber Protect Cloud with Enhanced Security mode enabled
- Acronis Cyber Backup Cloud as part of Acronis Cyber Cloud
- Acronis Cyber Files Cloud as part of Acronis Cyber Cloud
- Acronis Cyber Protect 15 Advanced with Acronis Cloud Storage subscription
- Acronis Cyber Backup Advanced 12.5 with Acronis Cloud Storage subscription
- Acronis Disaster Recovery 1.0
Compliance can vary depending on the Acronis product’s function and the data center you’re using for your data; clarify with your account manager or contact email@example.com to confirm that your configuration is HIPAA-compliant. Acronis will sign a BAA as a business associate or subcontractor with existing customers or together with a master agreement or product purchase.
While Backblaze itself isn’t a covered entity, many of its clients are HIPAA compliant and can request a BAA from the support team. Its multistep encryption for transferring and storing data ensures client protection, and it offers private encryption keys for extra security.
With unlimited data packages starting at $70 per year, Backblaze is an affordable and reliable data storage solution for small to medium-sized organizations that don’t want to sacrifice security for budget-friendly options.
One of the leading HIPAA-compliant digital storage solutions in the U.S., Atlantic.Net has over 25 years of experience and is trusted by the world’s leading universities as well as healthcare, biotech, and life science companies, including Harvard University, Purdue University, and the American Lung Association, among others.
Atlantic.Net is SOC 2 and SOC 3 certified and is audited by “qualified, independent third-party firms” in addition to HIPAA and HITECH audits to ensure the top security and protection for clients. The company will sign a BAA.
Keeping your cloud storage HIPAA compliant
By choosing a reputable cloud storage provider, checking the permissions of your third-party apps, gathering patient data with HIPAA-compliant forms, and making good use of audit trails, you can ensure that your cloud storage doesn’t conflict with HIPAA standards.