2019 HIPAA Violation Fines

HIPAA Compliant Cloud Storage: Is Your Practice at Risk?


Finding HIPAA compliant cloud storage for your Behavioral Health practice can be a challenge–especially because finding a clear answer about HIPAA requirements can be confusing.

Understanding HIPAA Compliance

HIPAA regulation divides health care organizations into two categories: covered entities and business associates.

Covered entities are organizations such as health care providers, insurance companies, and health care clearinghouses. Covered entities must address the full extent of HIPAA compliance with a robust compliance program to keep protected health data (PHI) private and secure.

Business associates are any organization that’s been hired to handle PHI over the course of work they do for a covered entity. There are many different kinds of BAs that run the gambit from EHR providers to medical billing companies. The rule of thumb to remember is that if you share PHI with a vendor, they must be HIPAA compliant.

HIPAA Compliant Cloud Storage

Because cloud storage providers have the potential to handle PHI, they are considered business associates by HIPAA regulation.

That means that if you have a cloud storage provider that you use to house any materials that contain patients’ names, dates of birth, insurance information, addresses, medical records, or any other piece of PHI, you must find a vendor that’s HIPAA compliant.

If you do business with a cloud storage vendor that isn’t HIPAA compliant you could be putting your behavioral health practice at risk in the event of a data breach.

If you’re looking into how to find a HIPAA compliant cloud storage provider, keep these questions in mind:

  • Does the provider use end-to-end encryption? End-to-end encryption is a security measure that ensures only the intended user can access the data in question.
  • Does the provider’s service have user and access controls? User and access controls are a HIPAA-mandated security measure that allow you to track who has accessed your data, and set rules for how, when, and where that data can be accessed by authorized staff.
  • Does the system have automatic back-up? In the event of a ransomware incident or malware attack, your cloud storage provider should have a means of restoring access to files. Automatic back-up should be built-in to the service you choose.

Business Associate Agreements

Once you find a HIPAA compliant cloud storage vendor, you need to make sure that you execute a Business Associate Agreement with them as a part of your HIPAA compliance program.

Remember that you must execute your BAAs before you share any health care data. This is as much to protect your patients, as it is to protect your practice–and it’s mandated by HIPAA regulation.

A proper Business Associate Agreement protects your organization from liability in the event of a breach that originated with the vendor. This should always be the first step you take when beginning a new business relationship with vendors who handle PHI in any way–including cloud storage providers.

Basic Telehealth Legal Issues: Rules, Regulations & Risk Management

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x