HIPAA-Friendly Cloud Computing Platforms

Users can limit who accesses protected health information (PHI) and monitor how PHI is used. Dropbox also provides recommendations upon request for users looking to make their business accounts HIPAA friendly.

Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider may be required to meet HIPAA compliance standards.Google appears willing to sign a BAA with healthcare companies that use G Suite, but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA in place is risky.Healthcare companies have embraced G Suite because of its robust security features and low cost.Setting up a HIPAA-compliant Gmail accountSimply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly.

OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit electronic patient health information, covered entities should rely on cloud storage solutions that can be used in a HIPAA-compliant manner. OneDrive can enable HIPAA compliance if the organization takes the proper steps. A business associate agreement is an essential part of making any software solution compatible with HIPAA. This agreement states how the parties handling the electronic patient health information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA friendly, but Microsoft does provide a BAA. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive seems to fulfill the access control obligation quite well.

Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Additional precautions are recommended, such as backing up Google Docs data.

Amazon supports HIPAA-compliant administrative processes and controls. Covered entities and business associates using AWS need to get training on how to properly configure AWS settings.

Box appears to check all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption.Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.

According to the platform’s online knowledge base, customers with 25 or more users on a monday.com Enterprise plan have access to features that enable HIPAA compliance. But if a customer changes to a different plan, they will no longer have access to HIPAA compliance features.Customers must accept the conditions of the Business Associate Agreement (BAA) and configure their account for HIPAA. The full BAA for HIPAA compliance is online, with step-by-step instructions on how to complete it.

Carbonite uses internal privacy and security provisions to safeguard medical information.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite provides real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system. Additionally, Carbonite restricts access to software programs.A Carbonite Safe Pro subscription offers HIPAA compliance features. Carbonite Safe Pro also gives administrators access to view user activity and logins.Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA friendly.

iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to meet HIPAA compliance standards. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls only meet the minimum HIPAA requirements.When healthcare providers use cloud services with protected health information (PHI), business associates must sign a BAA.

RingCentral is an option that healthcare organizations can use to transmit and store patient health information because it appears to take a proactive approach in ensuring privacy and safety for all communications as a cloud service provider.The service boasts a “seven layers of security” approach to securing data that transfers through its services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information should be secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in line with HIPAA requirements.

Microsoft Azure is a cloud platform of more than 200 products and services. According to the Azure website, its Health Data Services product for protected health information (PHI) meets all regional compliance requirements for HIPAA, GDPR, and CCPA. Azure Health Data Services allows healthcare providers and other users to collect, store, and analyze health data from different sources and in different formats, such as Fast Healthcare Interoperability Resource (FHIR®) and Digital Imaging and Communications in Medicine (DICOM®).Microsoft has stated that Azure enables “the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside Windows Azure core services.” The company provides customers and partners with a Business Associate Agreement (BAA) for Azure. 

On its website, ShareFile states that it has a long history of supporting regulated industries with features that enable HIPAA compliance.The ShareFile Help Center provides an in-depth HIPAA Support document with an overview of user responsibilities and ShareFile’s HIPAA features. The Help Center document also states that ShareFile with HIPAA support is available only with a ShareFile Premium Account. Per the website, customers must sign the ShareFile Business Associate Agreement (BAA). 

Firebase is a Google product. The Support section of the Firebase website addresses HIPAA and Business Associate Agreements, stating that Google doesn’t intend Firebase to be used for protected health information (PHI). The site goes on to state that Google makes no representations that Firebase services satisfy HIPAA requirements. According to the website, if you are or become a business associate as defined by HIPAA, you must not use Firebase “for any purpose or in any manner involving transmitting protected health information to Google unless you have received prior written consent to such use from Google.”

There is no specific mention of HIPAA or Business Associate Agreements on Genius Scan’s website, even on the privacy and security overview page.

Google Workspace offers four plans, one of which is the Business Starter plan. Questions about compliance are addressed in the FAQ section on the Google Workspace main page, not individual plan pages. Google Workspace claims it supports customers’ compliance with HIPAA. Customers who use Google Workspace and its products to process and store PHI will need a Business Associate Agreement (BAA) with Google. The BAA process is detailed in the platform’s online Help Center. The website doesn’t mention the BAA being limited to certain plans. However, when you compare the plans in detail, you can see that the three Business level plans — Starter, Standard, and Plus — are missing several of the security and management functions needed for HIPAA compliance. These functions are available only in the Enterprise plan.

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not apply to consumer curation of health data or other protections related to privacy, security, or minimizing access to PHI. Even though 23andMe receives funding from the National Institutes for Health, 23andMe currently asserts that its data-mining analysis doesn’t constitute research on human subjects under the current version of the Common Rule because it de-identifies the data. This means that 23andMe may take the position that any consent it obtains to retain, use, and share consumer data isn’t necessary for regulatory compliance, but rather is done as a courtesy.

Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about its own HIPAA enablement. It appears that HIPAA features are available only for customers on the B2 Cloud Storage plan.

According to the Egnyte website, the platform’s comprehensive data security enables HIPAA compliance for payer, provider, pharmaceutical, and biomedical businesses.Egnyte states that it will enter into a Business Associate Agreement (BAA) with its customers once they have signed up for Egnyte’s services.There are three plans offered through Egnyte. Storage that enables HIPAA compliance is listed as a feature for all of them. Other features required to support compliance are available on only some of the plans.

There is no mention of HIPAA compliance or Business Associate Agreements (BAA) on the FileZilla website. The extensive Knowledge Base for FileZilla and FileZilla Pro doesn’t mention HIPAA either.Several questions regarding HIPAA compliance have been posted to FileZilla forums, and most answers state that FileZilla does not enable HIPAA compliance.FileZilla apparently supports secure file transfer protocol (SFTP) and file transfer protocol secure (FTPS), but without access controls, audit trails, and signed BAAs, these measures aren’t enough to satisfy HIPAA regulations. 

IDrive offers online backup services that covered entities can use for protected health information (PHI). Both IDrive’s digital and physical security appear to maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software supports HIPAA compliance. Data encryption and secure transmission help prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s data center uses modern technology, including SOC-approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.

The security & privacy section of the OpenAI website states that the company helps “customers meet regulatory, industry, and contractual requirements like HIPAA”; however, ChatGPT isn’t currently covered by OpenAI’s BAA. According to OpenAI, only API services with “endpoints that are eligible for zero retention are covered” by its BAA. Customers do not have to be on an Enterprise plan to be eligible for OpenAI’s BAA.

Power BI is a Microsoft product. According to a blog on the platform’s website, Power BI was added to the Microsoft Trust Center in April 2016. The Microsoft Trust center is a single point of reference that documents compliance with various regulations. HIPAA and the HITECH Act are spotlighted in the Microsoft Trust Center. As a cloud service provider, Microsoft considers itself a business associate for HIPAA-covered entities: “To support our customers’ compliance with HIPAA when utilizing Microsoft enterprise products and services, Microsoft will enter into Business Associate Agreements with its covered entity and business associate customers.”In the Trust Center, Power BI is listed as an in-scope cloud platform either as a standalone service or included in an Office 365 or Dynamics 365 branded plan or suite.

Rocketbook enables users to upload their handwritten notes to the cloud. In most cases, notes aren’t stored on Rocketbook’s servers. However, this doesn’t mean that the app meets HIPAA requirements.According to its website, Rocketbook does not enable HIPAA compliance. There is currently no mention of Business Associate Agreements (BAA) on the website.

HIPAA compliance is addressed on the ServiceNow website in a 17-page white paper titled “ServiceNow security & HIPAA.” The document can be found under the Industry Resources section in the Trust and Compliance Center. In the white paper, ServiceNow claims to include features that enable healthcare customers to comply with HIPAA privacy and security requirements. As far as Business Associate Agreements are concerned, ServiceNow says it will enter into a BAA “if the covered entity chooses to store ePHI in their instance.” There’s a long list of exceptions outlined in the white paper, and ServiceNow cautions that it “is not a typical business associate.” ServiceNow states that it will not enter into a BAA that requires it to carry out the customer’s obligations under HIPAA. 

Snowflake offers a Healthcare and Life Sciences Data Cloud solution. On its website, Snowflake states that sensitive data can be shared with this solution because it has built-in security and governance that support HIPAA requirements, among several other security protocols. Snowflake offers a free e-book called HIPAA and the Data Warehouse Built for the Cloud to help business associates translate the regulations into technical requirements. A complete look at all Snowflake’s security and compliance reports can be found online as well. 

CrashPlan addresses HIPAA compliance on its homepage, stating that the platform enables HIPAA compliance for business users. The website also states that CrashPlan will sign a Business Associate Agreement (BAA) with users on Professional and Enterprise plans. The Help Center provides information that addresses what users need to do to use CrashPlan in a way that follows HIPAA regulations. It also includes links for users to request BAAs.

There is no mention of HIPAA or Business Associate Agreements (BAAs) on the Eventbrite website. The company’s expansive Security and Safety Guide describes the platform’s security features, as well as the security laws and regulations it strives to comply with, but mention of HIPAA is notably absent as of the date of this post. Despite strong encryption and security, Eventbrite does not appear to meet HIPAA requirements for safeguarding protected health information, at least from what one can presently glean from the company’s website. 

On its website, Hightail states that because of the nature of its business, the platform isn’t subject to HIPAA compliance. However, it also claims that many customers using both its Enterprise and individual accounts use Hightail to securely deliver protected health information (PHI). Examples of these security measures include SSL/TLS and AES 256-bit encryption, forward secrecy, and dynamically scrambled file names. There is no mention of Business Associate Agreements on the Hightail website.

According to Vimeo’s Help Center, its self-serve platform is not HIPAA compliant; therefore, Vimeo advises its users not to upload any material that would fall under HIPAA regulations, even to a private channel.Vimeo states that its platform does offer a solution that enables HIPAA compliance for Enterprise clients and indicates that it is willing to sign Business Associate Agreements with covered entities.

Windows 10 Home does not seem to support HIPAA compliance. As long as Windows 10 Pro is still supported, Microsoft claims that you can use it in a way that enables HIPAA compliance. There is no information specifically related to HIPAA or Business Associate Agreements (BAA) on the Windows 10 information page.

According to the platform’s website, Okta’s Identity as a Service (IDaaS) cell for HIPAA is specifically designed to help service providers meet HIPAA requirements. Okta requires customers to sign a Business Associate Agreement (BAA) prior to storing HIPAA-related information.

Rackspace calls its platform HIPAA ready. The platform claims to be HITRUST CSF Certified, which includes a framework to meet HIPAA requirements. The Rackspace Healthcare Cloud data sheet states that the company will enter into Business Associate Agreements (BAA) with customers. 

Windows Server 2008 is a product no longer supported by Microsoft. Some extended security updates were released, but the last one expired in January 2024. When Windows Server 2008 appears in searches, there is no further information shared regarding HIPAA or Business Associate Agreements (BAA).