HIPAA compliance is no joke – unsecured health information can seriously damage an individual and also the healthcare provider. The sensitive information held on healthcare records must be stored securely otherwise there can be some serious consequences. Shockingly surveys have found that 59% of doctors have written an offensive remark on someone’s medical records. You have a legal right to access your own medical records to check whether this has happened to you. Surprisingly, the researchers also found that:
Most patients don’t care unless it affects them, like a diagnosis that has a social stigma or has do with insurance coverage
That being said, it’s one thing to access your own health records, but a hacker gaining access is another story. For that reason an assigned Medical Technician must take extra measures to ensure that medical records are kept secure. That includes using cloud storage solutions that comply with HIPAA and cannot be hacked.
Finding an HIPAA compliant cloud storage facility is not easy. That is why I’ve created this article, so that you can find out more about HIPAA cloud storage and easily access / compare HIPAA cloud hosting options.
What Is The Purpose of HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. This bill was signed back in 1996 by Bill Clinton when he was president of the US. HIPAA is designed to offer protection to workers when they change or lose their jobs and also to protect health data, integrity, confidentiality, and availability.
The data protection (accountability) aspect of HIPAA is relevant to cloud storage, especially for healthcare companies. Violations of this bill come at serious costs to the healthcare provider.
How Much Does a HIPAA Violation Cost?
While you could get a small fine for a violation of HIPAA records, the fee is generally upwards of $100 per record to $50,000. The maximum fine that you can get for an HIPAA violation is $1.5 million. What’s more once a federal investigator has found an HIPAA breach the name of the practice is listed on the “Wall of Shame” and cannot be removed. Even companies who are under investigation for a breach of HIPAA appear on this page.
Medical Technicians should get training for HIPAA compliance and also the development of a Risk Analysis and Management Plan. The cost for this is in the region of $2-$10k however, that’s a small price when you consider the cost of HIPAA violation fines.
In reality there is no true HIPAA-compliant cloud storage provider. The responsibility for setting up the tools required always falls in the lap of the healthcare provider. While the cloud storage provider can provide the tools, the healthcare provider must set them up. With that in mind let’s look at the best HIPAA-compliant cloud storage solutions and see what they can offer you.
HIPAA-Compliant Cloud Storage Providers
Dropbox is one of the most famous cloud storage solutions on the planet right now, but Dropbox it truly HPAA compliant? And can you share protected health information (PHI) with Dropbox?
Dropbox openly states that they support HIPAA and HITECH Act compliance. To make their product truly HPAA compliant, the healthcare provider must set up and use the platform in the correct way. Dropbox will need to sign a business associate agreement with HIPAA-covered entities, which they are prepared to do. Thankfully, it’s really easy to sign the BAA with an electronic signature.
Dropbox Business Service is really cheap, at just $12.50 for up to five users. They also provide unlimited storage, which is a great bonus and also document recovery services. However, you must also set up your account so as no files can be deleted.
One thing to note is that Dropbox allows you to use third party apps, and these apps will not be covered by the BAA that they’ve signed with you – so that is one to look out for. In saying that JotForm’s HIPAA-compliant form-building service is covered by the BAA, and is extremely useful for Healthcare Providers. There are certain aspects of HIPAA that require the correct configuration of Dropbox. For example you must disable permanent deletions of files, which is pretty easy to do in the admin console.
- Share/ store PHI files within HIPAA rules
- Easy to sign BAA and be covered against HIPAA
- Need to configure account to be covered with BAA
- Cost effective
- Third party apps not covered with BAA
Atlantic.net is an award winning HIPAA cloud storage solution. They won the “Best HIPAA Platform Provider in 2018″ award and the “Best Patient Data Security Solution” award in 2019. Atlantic.net also offer HIPAA hosting. Atlantic.net are fully HIPAA compliant and audited by HIPAA. To find out the cost you need to get in touch to discuss your individual needs.
Atlantic.net has also implemented a robust hosting solution, including management services for Healthcare companies. Including the following features: Firewall, Encrypted VPN – for secure file transfer, Offsite backups – to ensure that medical records can always be retrieved, Multifactor authentication – via mobile phone to ensure that each user that accesses the account is who they say they are.
All files are stored in a private hosted environment – Atlantic.net has secured the resources by privatizing the infrastructure. They also implement SSL certificates site wide – for security and credibility. They have SSAE 18 certification and will sign a Business associate agreement (BAA).
- HIPAA Audited
- HIPAA Compliant
- Multifactor authentication
- Offsite backups
- Advanced Encryption Standard 256-bit (AES-256)
- 24x7x365 Security, Support, & Monitoring
- Price not displayed
- You need to contact their sales dept to set up your cloud storage account
Box has some nice features for healthcare users, for example they offer access monitoring and audit trails which allows you to verify what data was accessed, when and by whom. Box is extremely straightforward to use and integrates with Salesforce, JotForm and Google, while respecting PHI security. I love the fact that you can securely view Digital Imaging and Communications in Medicine (DICOM) files, like x-rays, ultrasounds, and CTs.
With Box you pay by user and the minimum amount of users for their business account is 3 users. It’s about $15 per user, so the minimum you’ll be paying is $45 per month, which is expensive compared to other cloud storage platforms.
Box has created their HIPAA offering with the healthcare business in mind. They say that they offer “HIPAA-compliant access to critical documents in the exam room or on-the-go”. You have peace of mind when you use Box, as they have been HIPAA compliant since 2012. Box offers a “Box for Healthcare service” that allows you to integrate seamlessly with IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health apps. As always you’ll need to obtain a BAA from Box before you can consider their service HIPAA compliant.
- View DICOM files
- Feature rich
- HIPAA compliant
- Integrate with professional healthcare apps
- Advanced reporting tools
- Works on any device
- Configuration required
Tresorit is a European cloud storage solution. They offer end-to end encryption and Swiss privacy and say that they are the most secure place for your files on the cloud – but are they?
Tresorit are HIPAA compliant and allow secure file storage and sharing. They encrypt data using 256-bit keys on your device. Tresorit has a secure file transfer method that has the benefit of looking professional. That way, healthcare providers can send sensitive medical files securely via secure branded folder links.
They also have some nice features, for example you can track activity on shared files and add your institution’s branding. Tresorit offers a 1TB Business account that can be used with up to 10 people in your organization for just $10 per month. You can give them a go for FREE for 14 days.
- Easy to use
- 14 day free trial
- HIPAA compliant
- Feature rich
- Not unlimited space
You might not have heard of Carbonite, but in fact they are a popular cloud storage company with a particular affinity for security. Plus they’ve been around since 2005 and now have over 1. 5 million users, which is reassuring. You’ll need to get a “Carbonite Safe Backup Pro” or “Carbonite Safe Server Backup” plan to take advantage of Carbonite’s HIPAA compliance.
Carbonite is abides by the Massachusetts Data Security Regulation (201 CMR 17) as well as taking all of the necessary steps to help their customers comply with HIPAA. You’ll need to a BAA from their sales team via phone or email to get that set up.
Payment for Carbonite is done on an organizational size basis. So you’ll pay more if you have a larger organization, but not for each individual user, like you have to do with Box. Access to Carbonite starts at $249.99 per year and goes up to around $1299.99 for large companies. This could work out well if you have a tonne of users who you want to add to the cloud storage plan.
- Established for a long time
- HIPAA compliant
- Massachusetts Data Security Regulation (201 CMR 17)
- Pay one organization wide fee
- No auto BAA capability
Rackspace offer cloud storage solutions for a wide range of risk and compliance issues, due to the cost of non-compliance, it’s always good to get that aspect of your business organized. Rackspace make you feel like they take the stress out of stringent audits as they offer products for just about every regulation and certification.
However, the approach to handling the data at the institution level is still important. Rackspace do have certified security experts that you can speak to and get help with compliance issues. Rackspace encourages customers to get in touch with them to “start the conversation”. Rackspace is great for people who are looking for more guidance in the area of HIPAA.
- Experts in compliance
- HIPAA compliant
- You need to contact them to set up your account
7. Google Drive
Unless you’ve been living under a rock, you’ll know about Google and their product Google Drive. Google Drive is a cloud hosting service that comes bundled with your Gmail account. If you have a Gmail account, you have access to Google Drive. You’ll also automatically get up to 15MB storage free of charge.
Bear in mind – not all of the features on Google Drive suite are HIPAA compliant. However, the basic Google cloud software programs like sheets, docs and slides can be fully compliant. To make your Google Drive account HIPAA compliant you’ll need to request a BAA from Google.
PHI security can be managed by changing file permissions. Google drive is really easy to use and cheap too! You get 30GB for just $5. The only real concern I would have with using Google Drive would be the fact that Google employees have the right to take a peek at your data, which might not sit well with patients, if they found out.
- Easy to use
- Privacy issues with Google
- Not unlimited storage
8. Microsoft OneDrive
Microsoft OneDrive is HIPAA compliant and is a good choice for healthcare organizations. Microsoft states that despite there being no official certification for HIPAA or HITECH Act compliance (at present) – “Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification”, which is certainly reassuring.
To make your OneDrive account HIPAA compliant you’ll need to request a BAA from Microsoft. Microsoft encourages healthcare providers to deploy Azure PaaS solution to securely ingest, store, analyze, and interact with health data. They provide a HIPAA/HITRUST Blueprint as well as comprehensive documents on HIPAA data and their platform’s AI capabilities.
Make sure to choose the OneDrive for business solution rather than their consumer package, because the consumer package isn’t HIPAA compliant. Again, you’ll need to sign a BAA with Microsoft to make OneDrive HIPAA compliant.
- Easy to organise files
- Secure collaboration tools
- Files are individually encrypted
- Like Google – Microsoft reserves the right to look at your data
In all instances you’ll need to get a Business Associates Agreement (BAA) signed by the cloud storage company as part of your HIPAA compliance. I particularly like companies who have a healthcare focus or a compliance focus, when looking for an HIPAA compliant cloud storage provider.
Box is a good option if you don’t mind the cost. Dropbox is great as they offer unlimited storage and they are cheap as chips. Atlantic.net is also good as they know all about compliance issues. Drive and Microsoft reserve the right to view your files, so you might not want to go with them if security is your focus.