Estimated reading time: 2 minutes, 51 seconds

Cloud Solutions Enable Any Company to be HIPAA Compliant Featured

Cloud Solutions Enable Any Company to be HIPAA Compliant "Stethoscope and Laptop Computer. Laptop computers and other kinds of mobile devices and communications technologies are of increasing importance in the delivery of health care. Photographer Daniel Sone "

Organizations operating in the U.S. healthcare sphere are subject to data privacy regulations first defined in the Health Insurance Portability and Accountability Act of 1996. Failure to adhere to the standards reading the handling of Protected Health Information (PHI) can lead to substantial fines. Financial penalties are administered according to a tiered structure, with maximum fines exceeding one million dollars. 

Maintaining compliance can be a difficult task. Modern information technology (IT) environments have become more diverse and complex. Hybrid cloud solutions are becoming increasingly popular, further complicating compliance efforts. Companies often have infrastructure components spread among different cloud providers and on-premises data centers. 

Another issue that affects some smaller healthcare providers is the lack of a dedicated IT staff that can focus on implanting the protections required to meet HIPAA guidelines. A small doctor’s office needs to remain HIPAA compliant but may not have the resources available to make that happen. That is not a valid excuse to offer auditors or investigators in the wake of a data breach involving PHI.

Fortunately, there are cloud solutions designed to help small and large organizations comply with HIPAA data protection regulations. 

HIPAA Compliant Cloud Solutions

The HIPAA security rule mandates that all covered entities conduct a risk assessment of their organization, including cloud deployments, to verify that they are compliant with HIPAA’s administrative, physical, and technical safeguards. While HIPAA does not demand the use of encryption, it is the most effective method of protecting PHI when at rest or during transmission. Providing end-to-end encryption, full disc encryption, and creating encrypted backups are some of the techniques used by cloud providers to protect PHI. 

Cloud vendors who are confident in their HIPAA compliance standing should be willing to sign a business associate agreement (BAA). Providers who are reluctant to sign this type of agreement should not be counted on to furnish the required data safety and privacy safeguards. Their claims of HIPAA-compliant systems may just be marketing doublespeak, leaving the customer in a perilous position regarding compliance. Providers should also be willing to show prospective clients HIPAA certifications and audit assessments. 

Following are some of the third-party cloud providers that offer HIPAA-compliant storage systems and services. These companies are all willing to sign a BAA and share responsibility for HIPAA compliance with the customer, known as the covered entity (CE). 

  • Amazon Web Services has HIPAA-compliant offerings that help healthcare industries process, store, and transmit PHI. 
  • Microsoft offers multiple services in scope for HIPAA BAA coverage. They include Azure, Azure DevOps, Office 365, and Power BI. 
  • Google Cloud Services ensures that services covered under their BAA meet HIPAA requirements. These include a wide array of offerings on the Google Cloud Platform (GCP), Google Workspace, and secure communication solutions.  
  • Dropbox Business can be configured to provide HIPAA-compliant cloud storage. Other features include two-factor authentication and administrative controls including user activity reports. 
  • Box offers accounts that can share data securely with a direct messaging protocol and enables audit trail functionality for users and content. The platform enables secure remote viewing of medical records.  

When working with cloud providers, it is essential to understand that the covered entity is responsible for ensuring systems are configured and used appropriately to remain HIPAA compliant. It’s the confidentiality of the CE’s patients’ data that is put at risk through customer misuse.



Read 337 times
Rate this item
(0 votes)
 Robert Agar

I am a freelance writer who graduated from Pace University in New York with a Computer Science degree in 1992. Over the course of a long IT career I have worked for a number of large service providers in a variety of roles revolving around data storage and protection. I currently reside in northeastern Pennsylvania where I write from my home office.

Visit other PMG Sites:

click me
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.