Options for HIPAA compliant cloud storage

hipaa compliant cloud storage“What are my options for HIPAA compliant cloud storage?”

In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience factor is undeniable– the ability to access your data from anywhere, on any device, universally synced, is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services fit the bill?

There are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When the PHI is completely out of your hands and stored on an off-site network (as cloud storage is), you need to be absolutely sure that your data is properly encrypted in case of a breach.

So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:

  • Dropbox – The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Unfortunately, Dropbox is not HIPAA compliant. HIPAA would require that all aspects of a PHI file — even the name, which can potentially hold identifying information — be encrypted and private. Dropbox keeps metadata which includes the file name, which is not secure. It also lacks the audit controls that HIPAA demands.
  • Amazon S3 – Amazon S3 in and of itself is not HIPAA compliant, but Amazon AWS as a whole can be used to create HIPAA-compliant cloud storage — unfortunately, it won’t be easy. Amazon AWS isn’t HIPAA compliant “out of the box.” Rather, they give you dedicated servers and a HIPAA business associate agreement, but the rest is up to you if you want to create HIPAA compliant storage. Doing so might be more complicated than you’re willing to get into alone, but if you have an IT professional to work with, it’s definitely worth a look.
  • iCloud – Apple refuses to sign a BA agreement and there is no way to ensure the security of your information in the cloud, so best to keep your PHI away from this service.

So now that we’ve eliminated many of the most popular go-to cloud storage services, what’s left? Are there any HIPAA compliant cloud storage providers?

Thankfully, there are. Some of the most notable include:

  • Google Drive – As of September 2013, Google Apps for Business allows the domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. If the administrator disables all other Google Services from the domain and makes sure their business keeps appropriate password policies, etc, then Google Drive is a viable choice for HIPAA compliant cloud storage. Get a free trial here.
  • Microsoft Office 365 – Microsoft also will sign a BAA that covers mail, file storage, calendars, and other aspects of the Microsoft Online offering. They also offer an impressive set of data loss prevention controls for outbound email. Get a free trial here.
  • Box – Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a business associate agreement. You can find more detailed information on their compliance on their website.
  • Egnyte – Egnyte advertises their services as HIPAA compliant and is willing to sign a BAA. However, some concerns have been raised about their level of security (particularly, this 2012 blog post from a healthcare IT provider) so you may want to proceed with caution.
  • Symform – Symform is an enterprise cloud storage service that is willing to sign a BAA and claims to be HIPAA compliant, focusing especially on backup and disaster recovery. They have more details and links to several whitepapers on their site that outline the ways that you can use Symform to store or backup PHI.

You should not take storing data “in the cloud” lightly.  Also, even with a signed Business Associate Agreement, the burden falls on you to make sure that your data is secure when hosted at a HIPAA compliant cloud storage provider.  For example:

  • The way you get data on to the cloud servers must be encrypted.
  • Your data must be encrypted when it’s on the cloud servers.
  • The method you use for taking data out of the cloud servers must be encrypted.
  • Any data downloaded from the cloud servers must be properly protected.

You may also enjoy:

8 Responses to Options for HIPAA compliant cloud storage

  1. Shimon Lazarov December 12, 2013 at 11:55 pm #

    I just wanted to say that Sookasa is a good option for using Dropbox in a hipaa compliant way. They create a secure folder within dropbox and all the files placed in that folder are encrypted, audited, etc… They give you a 30 day free trial and will sign a BAA.

    • Josh Ablett December 17, 2013 at 2:28 pm #

      Thanks Shimon! Your product looks fascinating. Can you share the reason for only signing a HIPAA Business Associate Agreement for top-end customers? If PHI is going through your system, I would think all providers would need you to sign a BAA. Thanks again for sharing!

      • Shimon December 17, 2013 at 6:51 pm #

        Hi Josh,

        We sign BAAs with all customers who require it from us. It is included in the $150/user/year plan. You are right though – we should update the pricing page of our website…

  2. Josh Ablett December 17, 2013 at 3:40 pm #

    Another company just contacted Adelia Risk with a recommendation that we check out WatchDox (http://www2.watchdox.com/). We’d love any feedback people have with using WatchDox — feel free to send us an email or post a comment here.

  3. Dave January 31, 2014 at 7:29 pm #

    I know this is article is a bit dated, but it remains relevant, so I thought I’d chime in. I have been using Sookasa on top of my DropBox account for almost a year. The service is very reliable, and easy to navigate. As long as it does what it claims to be doing behind the scenes, I give it a big thumbs up.

  4. Sara James May 13, 2014 at 4:02 pm #

    Think before you go into clouds. First thing first, Is your data safe there or Cloud Storage is notoriously insecure? One of the common causes of losing data is laptop or mobile theft. I lost two laptops in a year and unfortunately lost data with it too. Since then i have moved towards the encryption. I use Data Protecto to encrypt my files and then share it or upload it on clouds. This way i am able to keep my data and best part is i don’t have to worry about carrying laptop anywhere.

  5. Tanya Martin November 30, 2014 at 5:37 pm #

    Being choosy on what cloud service to go with for HIPAA is essential. HIPAA-compliant levels of security and where you can be absolutely be sure that your data is properly encrypted in case of a breach; I would suggest going with Logicworks’ cloud computing solutions. Logiworks provides a range qualitative security and compliance concerns that are faced in the healthcare industry. http://www.logicworks.net


  1. HTC » Dropbox in healthcare: A love-hate thing - December 1, 2013

    […] Boston-based security consultant Josh Ablett explained in a blog post this past month, even though Dropbox is “The most popular and arguably the most well-developed of the cloud […]

Leave a Reply

Powered by WordPress. Designed by WooThemes