HIPAA Compliant Cloud Storage, cloud storage

What is HIPAA Compliant Cloud Storage and Why is It Important to You?


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Companies of all sizes are seizing cloud storage as a key component in their plan to transition to an increasing number of digital services. The urgency caused by the COVID pandemic has further accelerated the adoption of cloud computing and cloud storage, both for small as well as large players, including top C-suite decision-makers. Businesses (including practices) are systematically digitizing their services and transitioning to the digital world with the Cloud at its core.

Those professionals and their organizations that navigate this digital transition successfully will be the leaders of the future. While some individuals or groups may reluctantly use technology or adopt it piece-meal, they may be guilty of failing to consider the ramifications of our being several decades into an age of digital transformation. Many thought leaders have characterized this transformation as being as far-reaching as the human race’s transition from hunting and gathering to agriculture for acquiring and storing food.

Successful healthcare winners of tomorrow will be those who navigate this change quickly, make well-considered choices, and adopt the right digital services to grow and scale their services to more responsibly deliver care where and when it is needed. Telehealth.org has been consulting and serving groups large and small to assist with this transition for 28 years, and therefore offers you this article and other recent articles about cloud storage to highlight the importance of making good choices about your cloud storage needs.

Cloud computing and cloud storage are cornerstone elements to consider in your digital transformation. Rather than being stored on a floppy disc or external hard drive, data of all types are stored in logical pools, said to be on “the cloud” and often spanning multiple servers whereby the physical environment is typically owned and managed by a hosting company. Healthcare businesses then buy their cloud storage services from hosting companies, for the most part.

What Is HIPAA Compliant Cloud Storage?

To make the best decision for protecting patient Electronic PHI (ePHI) in your cloud storage solution, it helps to have an understanding of the basic HIPAA compliant cloud storage requirements. Functionally, HIPAA has two components when it comes to ePHI—the HIPAA Privacy Rule and the HIPAA Security Rule. These are the pillars of HIPAA law, meaning that if you want to be compliant, you must focus your efforts on them. Each is addressed below.

HIPAA Compliant Cloud Storage & The HIPAA Privacy Rule

The HIPAA Privacy Rule is the most expansive of the two pillars that make up HIPAA laws, yet it is often overlooked. It defines how to protect the information, including:

  • Demographic information
  • Mental and physical health history
  • The forms of healthcare an individual has received
  • An individual’s payment history as well as any current expense or projected future costs
  • An individual’s common identifiers such as name, Social Security Number, birth date, address
It allows for the sharing of de-identified health information and defining the circumstance under which the HIPAA Privacy Law’s confidentiality components can be legally overlooked.

The HIPAA Security Rule, in essence, takes all the rules, restrictions, and exceptions of the HIPAA Privacy Rule and applies them specifically to ePHI. It expresses these adaptations through three sets of safeguards:

  • Physical- All rules that refer to the digital devices that store and carry ePHI as well as who can access them for use or repair
  • Technical- Defines the need for enhanced security networks, authentication protocols, and firewalls.
  • Administrative- The structure of companies with regard to the employees approved to access which aspects of ePHI and the training provided to employees.

The Components of HIPAA Compliant Cloud Storage

This nine-point guide below may be useful when considering the selection of a HIPAA-compliant cloud storage solution that will also meet the standards outlined by the HIPAA law components described above. To be worth your investment, and your clients’ or patients’ ePHI, a cloud storage network must have:

  • An available infrastructure with safeguards in place in case of unexpected system outages resulting in the inaccessibility of data
  • A fully managed security firewall that restricts access to ePHI to only authorized parties
  • Encrypted virtual private networks (VPNs) to allow entities to transmit data safely
  • Onsite and offsite encrypted data backups
  • Malware and virus protection of the devices that access ePHI
  • Multi-factor authentication that ensures a weak password by one employee won’t render the entire system vulnerable
  • Data siloed away from the information of other companies that may be using the same provider
  • Secure socket layer (SSL) certificates for all system components, including domains, subdomains, and servers
  • A strong agreement with the hosting company that clearly defines expectations of their roles under existing HIPPA law standards, including the roles and responsibilities of each party should a breach occur

Some Final HIPAA Compliant Cloud Storage Considerations

Given that HIPAA law is 25 years old, many cloud storage systems will have all of the above-noted standards in place. You, therefore, might need a few other aspects to consider to make a final decision about the cloud storage solution that best meets your needs.

  • First, identify which operating system is included in the cloud solution being considered. You may have a prior familiarity with one operating system (OS). It seems sensible to give that system priority, as integrating it will likely be more intuitive and, therefore, easier for you to navigate. 
  • Always be sure that your preferred vendor offers a Business Associate Agreement (BAA), which you are obligated to have as a covered entity.
  • Finally, make sure they have SOC 2 and SOC 3 certification. Again, this speaks to both their compliance and their diligence.
  • Using this article as a checklist will help you select a cloud storage solution compliant with HIPAA law and committed to maintaining that standard.
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x