Healthcare organizations are embracing the many advantages of cloud computing, including its scalability, cost-efficiency, and flexibility. While the cloud makes file storage and sharing easy and convenient, its security risks are numerous enough to have given rise to the CASB category. Before implementing a solution, however, it’s important to understand how industry regulations impact cloud adoption — and what to look for when selecting a cloud-storage service provider. For healthcare organizations, HIPAA-HITECH compliance can be a major deciding factor.
We’ve compiled the top 5 most popular cloud storage services that are HIPAA compliant. Before we go into those, let’s first take a look at how HIPAA-HITECH applies to cloud storage software.
Why HIPAA applies to cloud storage
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting the privacy of sensitive patient information. Covered entities under the law include healthcare plans, health care clearinghouses and certain types of healthcare providers.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA’s requirements to business associates. A business associate is any service provider who has access to the protected health information (PHI) of a covered entity. This also includes subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate, including cloud providers.
In addition to extending the law to cover business associates, the HITECH Act dramatically increased HIPAA penalties. Pre-HITECH penalties were limited to $100 per violation and a maximum of $25,000 for “identical violations of the same provision” in the same calendar year. The new penalties have a tiered structure between $100 and $50,000 per violation based on “increasing levels of culpability” and a maximum of $1.5 million for identical violations per year.
The Department of Health and Human Services’ Office of Civil Rights Management (OCR), which is responsible for HIPAA enforcement, has stepped up its efforts once HITECH amplified the consequences of HIPAA non-compliance. Both the number of settlements and the average fines have been growing since 2012.
The number of OCR settlements in the first eight months of 2016 are already double those of 2014, even with four months still left in the year. Of the 10 settlements announced through the end of August, six were larger than $1 million, and the average of the 10 was over $2 million. OCR also settled the largest fine to date, $5.5 million, with Advocate Health Care, in 2016. The fine stemmed from three separate breach incidents affecting a total of 4 million people.
In addition, in 2016 OCR levied its first fine against a business associate. Catholic Health Care Services, which provides management and information technology services to skilled nursing facilities, paid a $650,000 fine after PHI was compromised when a company-issued iPhone was stolen. The iPhone was not encrypted and did not have a password lock.
HIPAA’s impact on cloud adoption
The HITECH Act added a notification requirement — covered entities and business associates must notify OCR after a breach of unsecured PHI affecting more than 500 individuals. OCR’s breach database shows that a large number of the reported breaches stem from stolen or lost laptops, mobile devices, and portable media such as thumb drives. A properly executed cloud environment can solve the challenge of securing those endpoints.
A cloud storage service becomes a business associate if they stores PHI on behalf of a healthcare organization, and thus the service must be HIPAA-compliant. The law protects not only the privacy of the data but also its integrity and accessibility. HIPAA’s Security Rule, which addresses electronic PHI, includes physical and technical safeguards such as audit controls and access controls, as well as administrative safeguards such as data backups and security incident procedures.
In addition, cloud-storage services must sign a business associate agreement (BAA) with the healthcare organization that stipulates the vendor’s compliance with HIPAA requirements. Many of OCR’s settlements include lack of properly executed BAAs among the violations.
In 2015, OCR settled with St. Elizabeth’s Medical Center for $218,400 after investigating a complaint that the organization’s employees used an internet-based document sharing application to store ePHI without analyzing the risk of that practice. “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” OCR Director Jocelyn Samuels said in announcing the settlement.
5 cloud storage services that are HIPAA-compliant
HIPAA does not prescribe specific methods or tools for how to secure data; however, encryption is encouraged as a best practice. Breached data is not considered unsecured if the PHI “is rendered unusable, unreadable or indecipherable to unauthorized individuals.” According to HIPAA guidance by the Department of Health and Human Services (DHHS), encryption processes that follow NIST (National Institute of Standards and Technology) criteria meet the above requirement.
Some cloud services, including iCloud, don’t provide BAAs, while others don’t encrypt data both at rest and in transit. Some services, such as Amazon S3, are not HIPAA compliant out-of-the-box but can be configured with some customization.
The following cloud storage services offer HIPAA support that include BAAs and encryption of data in transit and at rest:
The company announced support of HIPAA and HITECH Act compliance in November 2015. It now provides BAAs for Dropbox Business customers. Administrative controls include review and removal of linked devices, user access, user activity reports, and enabling two-step authentication.
The business version costs $12.50 per month per user, starting with five users. It includes unlimited storage and file recovery, Office 365 integration, advanced collaboration tools, system alerts and granular permissions.
Having added HIPAA/HITECH support in 2013, Box has been actively marketing to healthcare customers. BAAs are provided for enterprise accounts. Features include access monitoring, reporting and audit trail for users and content, and granular file authorizations.
Box integrations include Office 365, DocuSign, Salesforce, and Google, among others. It also allows for securely viewing DICOM files (for X-rays, CT scans and ultrasounds) and for securely sharing data through a direct messaging protocol.
Google offers a BAA for Google Apps for Work customers. Covered apps include Docs, Sheets, Slides, and Forms as well as several other services such as Gmail. (Some core and all non-core apps from the Google App family are excluded.) Administrative controls include account activity and app activity tracking, audits, and file-sharing permissions.
Google Apps for Work offers two plans. At $5 per user per month, it includes 30GB of storage space. The $10 per user per month plan has unlimited storage (or 1TB per user if fewer than five users) and several advanced features such as additional administrative controls, audit and reporting for Drive, and Google Vault for eDiscovery.
Microsoft supports HIPAA/HITECH by offering BAAs for enterprise cloud services, and it has some of the best security practices in the industry. The security features are the most robust at the Enterprise E5 level, which costs $35 per user per month.
Enterprise E5 includes 1TB of file storage and sharing, advanced security management for assessing risk and gaining insights into threats and advance eDiscovery.
BAAs are provided for Carbonite for Office customers. Safeguards include offsite backup for disaster recovery; compliance with the Massachusetts Data Security Regulation, which the company says is widely accepted as the most stringent data protection in the country; and data encryption both in the cloud and on the local endpoint (as well as in transition).
Three office plans are offered, ranging from $269.99 to $1,299.99 per year. The first two tiers include 250GB of storage and the ultimate version has 500GB; additional storage packs can be purchased with all plans.
Your vendor’s HIPAA certification is not enough
The fact that a cloud storage provider offers BAAs, specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.
This is how Microsoft explains it: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
HIPAA covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. Ultimately, the covered entity or business associate is the one responsible for making sure all it’s regulatory mandates are being followed.
Making sure the PHI is encrypted in the cloud is only the first basic step. OCR also places an emphasis on risk assessment and management. Prior to adopting any new cloud service, organizations should conduct a comprehensive risk assessment and ensure policies, processes, and technology are in place to mitigate risks. To learn more about how to implement a HIPAA compliance program, download a HIPAA and HITECH Cloud Compliance Cheat Sheet.