From Google Drive and Microsoft OneDrive to Amazon Web Services (AWS) and Dropbox, cloud storage services have become increasingly popular in recent years. In addition to being used for recreational purposes by consumers, they are now being used by professionals in the healthcare industry. But before signing up and using a cloud storage service, you should ask yourself whether or not it is compliant with the Health Insurance Portability and Accountability Act (HIPAA).
Business Associates Agreement
We've talked about this before on our blog, but it's worth mentioning again that a Business Associates Agreement (BAA) is required when using the services of a third party to transmit or store Protected Health Information (PHI). And in case you were wondering, a cloud storage provider is considered to be a third-party business associate in the eyes of the OCR. Make sure that any cloud storage service that you intend to use is willing to create a BAA; otherwise, you should find a different provider.
A key feature in HIPAA compliant cloud storage providers is encryption. When data is encrypted, it will prevent unauthorized users from reading the data. The data can still be accessed, but without the necessary encryption key it cannot be translated into readable words. A good cloud storage provider should feature a minimum of 256-bit Advanced Encryption Standard (AES) encryption, giving you peace of mind knowing that your data is safe and secure.
While not necessarily a requirement for HIPAA compliance, opting to use a cloud storage service with two-step verification will help strengthen the security of your documents and files while mitigating the risk of unauthorized disclosure of PHI. With a single-step verification, users must only enter their name and password to access files. But with two-step verification, users must first enter their name and password, and then take an additional step before accessing their files. This additional step, for instance, may consist of a special PIN being texted to your mobile phone, at which point you'll need to enter the PIN into the cloud storage platform to access your files.
Security Awareness Training
Does the cloud storage provider have a structured awareness training program in place? Providers that emphasize the importance of security will use these programs to protect users' data from unauthorized access. A security awareness training program requires entities and business associates to review their policies on a regular basis.