Cloud storage usage is increasing in healthcare industry these days and that’s due to the fact that it offers a bouquet of economic benefits. But at the same time, concerns related to data theft and corruptions are also growing and this is where HIPAA compliance approval shows its prominence.
According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 while storing information, companies should implement a mechanism, to encrypt and decrypt electronic protected health information. This mechanism should not only apply to data storage made on in-house appliances, but also should apply to the info stored on cloud.
Thus, to healthcare companies looking to store sensitive info on public clouds, here’s a list of cloud storage providers which are HIPAA complaint.
Microsoft Azure- Microsoft Azure has officially announced that its Azure Government platform, Microsoft Dynamic CRM online and Dynamic CRM Online Government, Microsoft Intune, and Microsoft Office 365 and office 365 US are complaint with HIPAA and HITECH acts. So, healthcare companies willing to move their content to cloud can take help of this platform for all of their IP Storage needs.
Amazon- Amazon S3 is not HIPAA Compliant platform, but its sibling Amazon AWS can be used to create HIPAA compliant cloud storage. It’s due to the fact that the said service provider offers dedicated servers and a Business Association Agreement (BAA) on its encryption services and ways to use it on an effective note.
Box- The said service provider claims to meet all the obligations required by HIPAA, HITECH and the final HIPAA Omnibus ruling. The sign BAAs for customers who have an enterprise or elite account. Customers using BOX cloud storage are responsible to configure their respective accounts in a HIPAA compliant manner.
Dropbox- Dropbox is not a HIPAA compliant platform and that can be confirmed by having a close reading of HIPAA which shows that it requires all aspects of a PHI file — even the name, which can potentially hold identifying information — be encrypted and private. Dropbox as a company has policies which render it non-compliant with HIPAA in a number of areas. For instance, Dropbox keeps “metadata,” which includes the file name, rendering it insecure. HIPAA also requires audit controls, which Dropbox does not offer. However, DROPBOX has its own security and privacy policies in place which helps in maintaining the integrity of data of every business user.
Google Drive- As of September 2013, Google Apps for Business allows a domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. Being HIPAA-compliant isn’t as easy as opening any one of these accounts on any one of these services, but if your domain administrator can disable all other Google Services from the domain and make sure you keep appropriate password policies, etc, then Google Drive can be rendered HIPAA compliant for cloud storage—-a tricky regulation isn’t it?
Egnyte- The enterprise segment of Egnyte is for businesses seeking HIPAA compliance and they offer a BAA for each enterprise customer.
Currently, the list has been prepared as per the resources available from the industry. If you feel that any company is missing in the list, please notify us through comments section below. We will review and include it in the list as soon as possible.