HIPAA Compliant Cloud Computing Platforms

Users can limit who accesses protected health information (PHI) and monitor how PHI is used. Dropbox also provides recommendations upon request for users looking to make their business accounts HIPAA compliant.

Google Drive is part of G Suite, which has TLS (Transport Layer Security) encryption to protect PHI. To adhere to HIPAA-compliant procedures, Google Drive users will need to sign a BAA and disable file sharing and syncing. The BAA does not apply to third-party apps that connect with G Suite, so an additional BAA from that app provider is required to meet HIPAA compliance standards. Google will sign a BAA with healthcare companies that use G Suite but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA is a HIPAA violation. Healthcare companies have embraced G Suite because of its robust security features and low cost. Setting up a HIPAA-compliant Gmail account Simply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly. Here are the steps to ensure Gmail is HIPAA compliant:

OneDrive is a cloud storage solution provided by Microsoft. As cloud storage is often used to store and transmit Electronic Patient Health Information, covered entities should rely on cloud storage solutions that can become HIPAA compliant. OneDrive can be HIPAA compliant if the organization takes the proper steps. The business associate agreement is an essential part of making any software solution HIPAA compliant. This agreement states how the parties handle the Electronic Patient Health Information (ePHI) will adhere to HIPAA. Without a signed BAA agreement, no technology solution can be considered HIPAA compliant but Microsoft provides that. In addition, Exchange Administrator Access Tracking can be turned on so the user can know which administrators have accessed which data. As a result, OneDrive fullfills the access control obligation quite sufficently.

Privacy settings for each Google Doc should be configured so that they cannot be viewed unless a user has permission. Titles shouldn’t contain any patient information. Link-sharing and automatic file syncing aren’t allowed for HIPAA compliance. Additional precautions are recommended, such as backing up Google Docs data.

Amazon supports HIPAA-compliant administrative processes and controls. Covered entities and business associates using AWS need to get training on how to properly configure AWS settings.

Box checks all the boxes for HIPAA compliance. It ensures documents containing sensitive information and PHI are safely stored in the cloud by using numerous security features, including access monitoring, two-factor verification, reporting and audit trails, and data encryption. Box also provides access control, uses a strict logical system, and restricts access to its servers and customer data files.

Carbonite uses internal privacy and security provisions to safeguard medical information. These services support HIPAA requirements, as long as healthcare customers sign a Business Associate Agreement.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite meets this standard through real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Twenty-four-hour security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system.Additionally, Carbonite restricts access to software programs, allowing only authorized employees access. When a customer needs to dispose of data, authorized individuals wipe the drive, then complete a full write of the drive and a full read to ensure it is blank.Carbonite uses vendors that maintain HIPAA-compliant practices, ensuring the same privacy standards for all Carbonite services.You must have a Carbonite Safe Pro subscription for HIPAA compliance. The BAA provides contractual assurances that Carbonite understands and implements strategies for safeguarding PHI. Carbonite Safe Pro also gives administrators access to view user activity and logins.Since HIPAA regulations can be challenging to navigate, Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA compliant.

iCloud provides cloud-based storage solutions, with security protections for both data storage and transfer. Authentication controls and access management are necessary for cloud services to be HIPAA-compliant. A healthcare provider must be able to monitor who accessed the data and what the user does with the information. iCloud’s controls meet the minimum HIPAA requirements, but that doesn’t mean that the service is HIPAA compliant.Even though strong access and authentication features are part of iCloud, the services it provides classify Apple as a business associate. When healthcare providers use cloud services with patient health information (PHI), business associates must sign a BAA.Apple will not sign a BAA with healthcare organizations. The terms and conditions clearly state that HIPAA-covered entities shouldn’t use iCloud for sharing, storing, or transmitting PHI. Using this service for PHI is a violation of HIPAA rules.

RingCentral is a HIPAA-compliant option that healthcare organizations can use to transmit and store patient health information because it takes a proactive approach in ensuring privacy and safety for all communications as a cloud service provider.The service boasts a “seven layers of security” approach to securing data that transfers through their services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available HIPAA security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information is secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have state of the art security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in a HIPAA-compliant manner.When a healthcare organization uses these services with patient health information, RingCentral is classified as a business associate. Therefore, healthcare organizations using RingCentral services must obtain a signed business associate agreement (BAA). RingCentral offers its own BAA, which customers can obtain by contacting their personal representative.

23andMe has stated that it is not HIPAA compliant because the Health Insurance Portability and Accountability Act (HIPAA) only applies to healthcare organizations and providers, such as physicians, insurance companies, hospitals, and applicable business associates. HIPAA doesn’t apply to private genetic testing and genealogy services, such as 23andMe and other similar businesses. These services aren’t considered covered entities.Current HIPAA privacy laws were in place before genetic privacy became a concern. HIPAA laws don’t protect personal data shared with genealogy testing providers. The collection of genetic information gives 23andMe more sensitive information than a healthcare provider or a doctor. Unfortunately, HIPAA doesn’t hold these genetic testing services to the same standard of confidentiality as covered entities.Few restrictions are in place outside of HIPAA to protect genetic data. For example, the government might access genetic information in private or public databases if national security is at risk. Individuals who contribute DNA to 23andMe could face law enforcement scrutiny if a relative’s genetic data provides probable cause in a criminal investigation. (23andMe only releases clients’ information to law enforcement upon receipt of a court order).23andMe also collects other information through social media and real-time tracking of online activity. The company uses this data for marketing. It also shares customer information for research, as long as customers consent to participate in its research efforts.

Backblaze offers crucial security features for cloud backups, such as encryption for file transmission and data at rest. Customers can specify their own private encryption keys, adding another layer of security for data privacy.In addition to proactive monitoring of all systems, Backblaze hires third parties to test the system’s security. Before accessing private data, the service requires account verification. Two-factor verification is available to prevent unauthorized access to the account.These privacy features align with HIPAA requirements, but the company website doesn’t offer much information about HIPAA compliance. It appears that HIPAA compliance is available only for customers on the B2 Cloud Storage plan.Backblaze will sign a business associate agreement (BAA) upon customer request. To access a signed BAA, customers must contact Backblaze support and provide information about the amount of data storage and the number of online backup licenses required.

IDrive offers online backup services that covered entities can use for protected health information (PHI). Both digital and physical security maintain the confidentiality of patient information.Encryption is a critical feature for ensuring that your backup cloud software is HIPAA compliant, and it’s available through IDrive. Data encryption and secure transmission help to prevent unauthorized access to individually identifiable health records. If someone hacks the offsite server, encryption protects the files from access and use.IDrive’s world-class data center uses modern technology, including SOC approved data protection, to prevent the unauthorized use of data. Physical safeguards, administrative procedures, and technical security manage access to the data center and vaults.Additionally, IDrive provides features to protect against human error. The True Archiving service means that data always remains on the IDrive account until you perform an archive cleanup or manually delete the files from the archive. On the desktop application, users have 30 days to restore files from the trash.Customers using this service for PHI must have an IDrive Business account, which allows for unlimited computers and users.IDrive will sign a business associate agreement (BAA) for covered entities.