HIPAA Compliant Cloud Storage to Secure Data

Your cloud service provider is HIPAA compliant. But that doesn’t mean you are too! 

As a Covered Entity or a Business Associate who uses a HIPAA-compliant cloud to create, receive, maintain, and send protected health information (PHI), your compliance efforts don’t and mustn’t end there.

While using a compliant cloud service provider is a must, you can’t rest assured that your work is done. It still needs to be done.

Touted as one of the most stringent healthcare reforms in the world, the Health Insurance Portability and Accountability Act (HIPPA) is a US federal law.

It mandates healthcare organizations, including their vendors, with access to PHI to implement other standard best practices to protect patient data (such as electronic medical records) and other personal health information. 

Read on to get a lowdown on what security measures you should implement to ensure the safety of PHI, even on HIPAA-compliant secure cloud storage. 

HIPAA Brass Tacks

Before we go any further, let’s quickly understand some standard terms used in the article.

Protected Health Information (PHI): As per HIPAA regulations, PHI is 1) identifiable demographic or genetic information related to health, 2) information on the physical or mental condition of an individual, or 3) payment or financial information related to healthcare.

Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically and generate, store, transmit and handle PHI.  

Business Associate: Service providers, vendors, and entities that work on behalf of HIPAA-covered entities that involve the use or disclosure of PHI.  

What does HIPAA say about Cloud Service Providers?

Under HIPAA law requirements, Cloud Service Providers processing ePHI for a Covered Entity must be treated as Business Associates and are directly liable for compliance with applicable HIPAA Rules. That direct liability is what raises the operational bar on HIPAA-compliant data storage – encryption, key management, audit trails, and retention all have to be provable artifacts the CSP can hand to a covered entity’s auditor, not just contractual promises in the BAA.

The CSP remains a Business Associate even when another Business Associate subcontracts the creation, storage, and receival of ePHI. 

This holds true even if the CSP processes or stores only encrypted ePHI and doesn’t possess the decryption key.

Not having the encryption key doesn’t exempt a CSP from Business Associate status and obligations therein (under the HIPAA Rules).  

Covered Entities must execute a BAA with every CSP handling PHI. A healthtech compliance solution helps manage BAA workflows, track CSP compliance status, and ensure no cloud vendor operates without a signed agreement.

This makes the CSP contractually liable for meeting the terms of the HIPAA BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

Ready for HIPAA certification? Our “How to Get HIPAA Certification – A Short 7-Step Checklist!” makes it simple. Just follow the seven steps and you’ll be on your way to compliance. Download your checklist now and get started!

How to Make Sure Your Data is on HIPAA-Compliant Cloud Storage

It’s one thing to have HIPAA-compliant cloud storage services and another to ensure the PHI access in the cloud is equally secured, if not more, from your end. 

Large CSPs like AWS, GCP, and Azure operate on a shared responsibility model that leaves significant HIPAA obligations on the customer side. A healthtech compliance solution maps those customer-side obligations to controls and continuously monitors whether each one is met

For instance, AWS is “responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud.” And as its customer, you must conduct the configuration work as part of your security responsibilities. 

So while HIPAA-compliant cloud storage is a must, that’s not all.

Getting the Business Associate Agreement signed

The first step to ensuring HIPAA compliance is to sign a Business Associate Agreement (BAA) with the CSP. The BAA is a legally enforceable contract between the two parties and details the guidelines on the use, and disclosure of PHI and its protection.

You may need to sign multiple BAAs if you use multiple cloud providers. 

Setting up the right access controls

You must ensure you restrict access to your data on the cloud by configuring access controls so only authorized individuals from your organization can access PHI. Access controls are only one half of the equation – pair them with the HIPAA encryption requirements (AES-256 at rest, TLS 1.2+ in transit, key rotation, FIPS-validated modules) so that even an authentication failure doesn’t expose PHI to anyone who manages to land on the underlying storage.

You must also establish procedures for granting, revoking, and periodically reviewing access controls. Doing this will help you establish the privacy and security of the PHI.

Configuring firewalls that provide logging

Firewalls are critical to maintaining HIPAA compliance and protecting PHI data. The HIPAA rules also require recording, auditing, and monitoring every access to PHI.

Therefore, you must enable logging on any firewall, whether deployed in the cloud or on-premises (per HIPAA Security Rule).

You can use the logs to keep track of any user activity that impacts the firewall. It includes regular activities that might expose PHI, violates HIPAA, or cause a security breach.

You must store these logs for six years at the minimum; they are a must-have in case of an Office of Civil Rights (OCR) audit. The log-retention requirement is one of the items on every comprehensive HIPAA compliance checklist, alongside the Security Rule’s administrative, physical, and technical safeguards that an OCR auditor will work through line by line.

Encrypting all the information

HIPAA mandates end-to-end encryption of all PHI shared or stored in the cloud. A secure system should include AES-256 encryption for data-at-rest and TLS for data-in-transit.

However, encryption isn’t enough to meet all HIPAA Security Rule requirements.

Setting up a process for breach notification

HIPAA’s Breach Notification Rule defines the actions healthcare organizations must take in case of a data breach or leak. It defines the timeframes and methods for disclosure to government officials and the media. 

In case of a data breach, the Covered Entity and the CSP (in this case, the Business Associate) must investigate and report their findings to the OCR.

What’s Next?

As you can see, HIPAA continues to evolve and the threats to the healthcare industry doesn’t stop evolving either. This is why you need a proactive rather than a reactive approach.

Enter Sprinto – the powerful automation solution that helps cloud companies get compliant in no time at a fraction of the cost.

Maintain your HIPAA compliance with the help of our continuous monitoring tool to identify any gaps in your controls and address it immediately.

If you want to know more, book a call with us.

FAQs