What you should know about HIPAA Compliant Cloud Storage



Choosing a cloud storage vendor (CSV) isn’t the easiest task. In addition to pricing and basic Terms of Service, there are other variables to compare when searching for a HIPAA-compliant cloud. If you’re a developer whose product contains personal health data, and you are doing business in the US, you must choose a cloud storage vendor that is fully compliant with HIPAA, the primary US law protecting the privacy and security of health data.

Most importantly, developers who deploy health-related apps must become HIPAA compliant themselves. And some cloud storage vendors will help facilitate your own HIPAA compliance in various ways, while others do not. This is a critical distinction, as the vendor you choose can help make your own HIPAA compliance far easier — if they are set up to do so.

So what is a HIPAA compliant cloud storage vendor, and what do they do that other cloud storage providers do not?

Because of recent changes to HIPAA in the HITECH Act, as of 2013, cloud storage vendors who handle health data are considered “Business Associates” (BAs) under HIPAA. This means that, while CSVs obviously do not treat medical patients and generate new health data, they do process, store, transmit and receive “protected health information”, or “PHI” as HIPAA defines it. This means that CSVs, because their customers store PHI on their systems, must fulfill virtually all of HIPAA’s compliance requirements.

For a CSV to be fully compliant with HIPAA means the vendor has implemented everything that the HIPAA Rules and Regulations require. The vendor must also be able to document their compliance to various third parties, such as customers like you, or HIPAA’s enforcer, the HHS Office for Civil Rights (OCR). So what are the compliance duties for CSVs under HIPAA, and how do they create a HIPAA-compliant cloud?

HIPAA compliance requirements for cloud storage vendors mirror those of other HIPAA Business Associates, and fall into three general categories, called Administrative, Physical and Technical Safeguards.

  • Administrative Safeguards — include risk assessment; specific policies and procedures; workforce training; emergency and disaster response plans; login monitoring; protection from malware; and password management. These are primarily processes that provide strong data governance and oversight.
  • Physical Safeguards — include appropriate data backup and storage; media disposal and re-use processes; physical security for facilities and infrastructure; and contingency operations options. These are generally things and systems that help protect data.
  • Technical Safeguards — include unique user IDs; automatic logoffs; encryption and decryption (for data in motion and at rest); authentication for PHI; audit controls; emergency access procedures; and data integrity controls. These are mostly technologies that help maximize data protection and minimize risk.

HIPAA compliant cloud storage is available,, but not all CSVs offer a HIPAA-compliant cloud. It takes extra work, time and investment for a vendor to implement full HIPAA compliance. One of the key elements that distinguishes HIPAA compliant cloud storage is the vendor’s willingness to sign a so-called Business Associate Agreement (BAA). BAAs are a specific type of legal contract between parties who process, transmit, or receive PHI. Many of the terms in BAAs are required to be there, and the HIPAA Regulations are quite specific on these. Other terms are sometimes added to or deleted from BAAs, which HIPAA generally permits, as long the additions or deletions do not contradict HIPAA’s overall requirements.

When you ask a CSV about their “Business Associate Agreements”, vendors of HIPAA-compliant cloud services should immediately understand what you mean. They should also be willing to sign BAAs with their customers. If they don’t understand what the term means, or they are hesitant to sign a BAA, look for a different vendor.

Feel free to ask for evidence of HIPAA compliance. Legitimate, fully compliant CSVs should be willing to share copies of their HIPAA-required policies and other documents that show how they have complied.

Ask the cloud storage vendors you’re evaluating what they do to facilitate your own HIPAA compliance, as a customer of theirs? Do they provide HIPAA policy templates for your use? Do they provide reliable guidance and advice on compliance? Do they understand Breach Notification? How familiar with HIPAA and its requirements are they really? Most cloud providers fall short on HIPAA knowledge and compliance extras, so it pays to shop around carefully.

Most important of all, understand that your own HIPAA compliance, for your company or app, will depend in part on the full HIPAA compliance of your cloud storage vendor. The health data in your apps and systems will reside on their systems. Be sure you understand exactly what kinds of HIPAA compliance benefits come with each vendor’s offerings. And finally, be sure your cloud storage vendor is fully compliant, so you can be as well.

Was this article helpful? Subscribe below to learn more about MedStack and get tips delivered straight to your inbox.