HIPAA-Friendly Cloud Computing Platforms

Users can limit who accesses protected health information (PHI) and monitor how PHI is used. Dropbox also provides recommendations upon request for users looking to make their business accounts HIPAA friendly.

Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider may be required to meet HIPAA compliance standards.Google appears willing to sign a BAA with healthcare companies that use G Suite, but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA in place is risky.Healthcare companies have embraced G Suite because of its robust security features and low cost.Setting up a HIPAA-compliant Gmail accountSimply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly.

OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit electronic patient health information, covered entities should rely on cloud storage solutions that can be used in a HIPAA-compliant manner. OneDrive can enable HIPAA compliance if the organization takes the proper steps. A business associate agreement is an essential part of making any software solution compatible with HIPAA. This agreement states how the parties handling the electronic patient health information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA friendly, but Microsoft does provide a BAA. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive seems to fulfill the access control obligation quite well.

Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Additional precautions are recommended, such as backing up Google Docs data.

Amazon supports HIPAA-compliant administrative processes and controls. Covered entities and business associates using AWS need to get training on how to properly configure AWS settings.

Box appears to check all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption.Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.

Carbonite uses internal privacy and security provisions to safeguard medical information.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite provides real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system. Additionally, Carbonite restricts access to software programs.A Carbonite Safe Pro subscription offers HIPAA compliance features. Carbonite Safe Pro also gives administrators access to view user activity and logins.Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA friendly.

iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to meet HIPAA compliance standards. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls only meet the minimum HIPAA requirements.When healthcare providers use cloud services with protected health information (PHI), business associates must sign a BAA.

RingCentral is an option that healthcare organizations can use to transmit and store patient health information because it appears to take a proactive approach in ensuring privacy and safety for all communications as a cloud service provider.The service boasts a “seven layers of security” approach to securing data that transfers through its services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information should be secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in line with HIPAA requirements.

ShareFile offers HIPAA-friendly tools that allow healthcare providers to exchange data and files with patients and third-party providers. A secure SSL/TLS connection maintains the privacy of protected health information (PHI) in transit. And data at rest is secured with AES 256-bit encryption.These security tools provide bank-level encryption for email, attachments, and files. Healthcare providers can move PHI between local storage and HIPAA cloud storage as needed. Check-in and checkout systems ensure that everyone works on the latest version of a file. Audit controls let administrators see the history of access, including account usage and access to folders and files.Users can create individual accounts tied to unique email addresses; single sign-on is also available. Other HIPAA-related features include session timeout due to inactivity, identity management, and account lockout after five failed attempts.ShareFile integrates with a variety of other tools, including Microsoft Outlook.Mobile apps are available for Android, iOS, and more. Cloud syncing gives users access to current information on all devices. This streamlined healthcare collaboration system also provides e-signature features for digital document signing.HIPAA features are available only for customers with a Premium plan.

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not apply to consumer curation of health data or other protections related to privacy, security, or minimizing access to PHI. Even though 23andMe receives funding from the National Institutes for Health, 23andMe currently asserts that its data-mining analysis doesn’t constitute research on human subjects under the current version of the Common Rule because it de-identifies the data. This means that 23andMe may take the position that any consent it obtains to retain, use, and share consumer data isn’t necessary for regulatory compliance, but rather is done as a courtesy.

Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about its own HIPAA enablement. It appears that HIPAA features are available only for customers on the B2 Cloud Storage plan.

IDrive offers online backup services that covered entities can use for protected health information (PHI). Both IDrive’s digital and physical security appear to maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software supports HIPAA compliance. Data encryption and secure transmission help prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s data center uses modern technology, including SOC-approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.