What is HIPAA Compliant Cloud Storage Providers
Srividhya Karthik
Oct 10, 2024Your cloud service provider is HIPAA compliant. But that doesn’t mean you are too!
As a Covered Entity or a Business Associate who uses a HIPAA-compliant cloud to create, receive, maintain, and send protected health information (PHI), your compliance efforts don’t and mustn’t end there.
While using a compliant cloud service provider is a must, you can’t rest assured that your work is done. It still needs to be done.
Touted as one of the most stringent healthcare reforms in the world, the Health Insurance Portability and Accountability Act (HIPPA) is a US federal law.
It mandates healthcare organizations, including their vendors, with access to PHI to implement other standard best practices to protect patient data (such as electronic medical records) and other personal health information.
Read on to get a lowdown on what security measures you should implement to ensure the safety of PHI, even on HIPAA-compliant secure cloud storage.
HIPAA Brass Tacks
Before we go any further, let’s quickly understand some standard terms used in the article.
Protected Health Information (PHI): As per HIPAA regulations, PHI is 1) identifiable demographic or genetic information related to health, 2) information on the physical or mental condition of an individual, or 3) payment or financial information related to healthcare.
Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically and generate, store, transmit and handle PHI.
Business Associate: Service providers, vendors, and entities that work on behalf of HIPAA-covered entities that involve the use or disclosure of PHI.
What does HIPAA say about Cloud Service Providers?
HIPAA says that Cloud Service Providers that offer their services to a Covered Entity to process and/or store ePHI must get treated as a Business Associates under HIPAA.
The CSP remains a Business Associate even when another Business Associate subcontracts the creation, storage, and receival of ePHI.
This holds true even if the CSP processes or stores only encrypted ePHI and doesn’t possess the decryption key.
Not having the encryption key doesn’t exempt a CSP from Business Associate status and obligations therein (under the HIPAA Rules).
Covered Entities and/or Business Associates, therefore, must enter into a Business Associate Agreement (BAA) with the CSP to protect PHI.
This makes the CSP contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.
Ready for HIPAA certification? Our “How to Get HIPAA Certification – A Short 7-Step Checklist!” makes it simple. Just follow the seven steps and you’ll be on your way to compliance. Download your checklist now and get started!
Download Your HIPAA Certification Checklist
How to Make Sure Your Data is on HIPAA-Compliant Cloud Storage
It’s one thing to have HIPAA-compliant cloud storage services and another to ensure the PHI access in the cloud is equally secured, if not more, from your end.
Large CSPs such as AWS, GCP, and Microsoft Azure operate on a shared responsibility model.
For instance, AWS is “responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud.” And as its customer, you must conduct the configuration work as part of your security responsibilities.
So while HIPAA-compliant cloud storage is a must, that’s not all.
Getting the Business Associate Agreement signed
The first step to ensuring HIPAA compliance is to sign a Business Associate Agreement (BAA) with the CSP. The BAA is a legally enforceable contract between the two parties and details the guidelines on the use, and disclosure of PHI and its protection.
You may need to sign multiple BAAs if you use multiple cloud providers.
Setting up the right access controls
You must ensure you restrict access to your data on the cloud by getting access control configured such that only authorized individuals from your organization can access PHI.
You must also establish procedures for granting, revoking, and periodically reviewing access controls. Doing this will help you establish the privacy and security of the PHI.
Configuring firewalls that provide logging
Firewalls are critical to maintaining HIPAA compliance and protecting PHI data. The HIPAA rules also require recording, auditing, and monitoring every access to PHI.
Therefore, you must enable logging on any firewall, whether deployed in the cloud or on-premises (per HIPAA Security Rule).
You can use the logs to keep track of any user activity that impacts the firewall. It includes regular activities that might expose PHI, violates HIPAA, or cause a security breach.
You must store these logs for six years at the minimum; they are a must-have in case of an Office of Civil Rights (OCR) audit.
Encrypting all the information
HIPAA mandates end-to-end encryption of all PHI shared or stored in the cloud. A secure system should include AES-256 encryption for data-at-rest and TLS for data-in-transit.
However, encryption isn’t enough to meet all HIPAA Security Rule requirements.
Setting up a process for breach notification
HIPAA’s Breach Notification Rule defines the actions healthcare organizations must take in case of a data breach or leak. It defines the timeframes and methods for disclosure to government officials and the media.
In case of a data breach, the Covered Entity and the CSP (in this case, the Business Associate) must investigate and report their findings to the OCR.
FAQs
Are large cloud platforms considered HIPAA compliant?
Most large public cloud providers or platforms are HIPAA compliant. However, using HIPAA-compliant cloud storage doesn’t automatically make you HIPAA-compliant.
Can organizations store PHI on the CSP without signing BAA?
No. Organizations must sign the BAA with the CSP before storing their PHI on the cloud. Not following this can risk a PHI breach and attract substantial financial penalties from the OCR.
Why do covered entities need to sign BAA with the cloud service provider?
HIPAA requires Covered Entities to sign a BAA with the cloud service provider only if it engages the services of the CSP to receive, maintain, or transmit ePHI.
The BAA lays down the contractual requirements of the BA in terms of the measures it must take to protect the PHI in its environment.
What’s Next?
As you can see, HIPAA continues to evolve and the threats to the healthcare industry doesn’t stop evolving either. This is why you need a proactive rather than a reactive approach.
Enter Sprinto – the powerful automation solution that helps cloud companies get compliant in no time at a fraction of the cost.
Maintain your HIPAA compliance with the help of our continuous monitoring tool to identify any gaps in your controls and address it immediately.
If you want to know more, book a call with us.