The health insurance portability and accountability act (HIPAA) was introduced in 1996, when the information technology landscape looked very different to how it does today. As such, it is often difficult to interpret in the context of a modern IT environment, which typically makes use of a wide range of hosted services and mobile technologies. Neither of these things existed in any significant form 25 years ago, which is also partly why there is technically no such thing as HIPAA-compliant storage.
What is HIPAA-compliant storage?
No cloud-hosted storage service can be truly HIPAA-compliant by itself. Compliance depends primarily on the actions of people, although there are certain technical measures that need to be applied too, such as data encryption. A HIPAA-compliant storage service should provide the functions necessary to protect the integrity, confidentiality, privacy, and security of data, but it is up to the user to apply them. In other words, the service providers typically rely on a shared responsibility model, but it is essential that you understand who is responsible for what.
Related article: What is a HIPAA-compliant cloud? 5 ways to evaluate your IT services
#1. Can they provide a business associate agreement?
Healthcare providers and other organizations in the sector often have complex supply chains comprising extensive vendor portfolios. The same applies to their own vendors, all of whom are part of much larger supply chains. The online storage services you use are no exception.
Since data hosted in the cloud resides on servers belonging to and operated by a third party, that party will be classified as a business associate. Therefore, you will need to sign a business associate agreement with the company before you start using their services. If they are not willing to sign such an agreement, then they may not be HIPAA-compliant, in which case you should look for an alternative provider.
#2. Do they offer multilayered user access controls?
Cloud-hosted storage services are a top target for hackers owing to the facts that most businesses rely on them and they house a great deal of valuable data. However, contrary to popular belief, most data breaches concerning cloud services are not the fault of the service provider, but of the end user.
Weak passwords are one such vulnerability that can render a cloud service highly insecure. Even strong passwords are susceptible to social engineering scams. Because of this, HIPAA-compliant storage services should always offer multilayered access controls, instead of relying on passwords alone.
#3. Will your data be encrypted in storage and transit?
Data encryption is specified as ‘addressable’ under HIPAA legislation, but this does not mean it is optional or can be delayed. It means you either need to implement the safeguard or one of equivalent effectiveness, or otherwise provide documentation giving a justifiable reason why such a course of action has not been taken.
Fortunately, any HIPAA-compliant storage or other cloud-hosted service should offer complete encryption of data at rest and in transit. AES-256 encryption or better is practically impossible to crack with a brute-force attack, making it an effective and easy way to protect your data in storage or when it is being transmitted.
#4. Are the storage systems used physically secure?
HIPAA also includes a list of physical safeguards that must be implemented to safeguard data-bearing systems from physical theft. These measures include things like controlling access to buildings and facilities, and securely disposing of deprecated hardware.
A HIPAA-compliant cloud storage service should address all these measures and be willing to provide the documentation to prove it. While there is a degree of trust required here, since you have little or no control over where your data physically lives in the cloud, choosing a reputable service provider will make all the difference.
#5. Is protected health information stored in your jurisdiction?
You must also ensure that your data stays on systems within the country and, consequently, the jurisdiction covered by HIPAA. If protected health information (PHI) is to be moved outside the country for any reason, then it must be done according to voluntary agreements between all relevant parties, including the person who the information pertains to.
Related article: What is a HIPAA security risk assessment, and who needs one?
For everyday storage and transmission of healthcare data, it is imperative that you choose a cloud storage provider that has servers in the same jurisdiction. This should not be difficult to achieve, but it is something to be aware of if you choose to work with a smaller service provider headquartered abroad.
Charles IT provides comprehensive HIPAA compliance assessments and security services to protect your organization from data leaks and other cyberthreats. Contact us today to find out more.