HIPAA-compliant cloud storage implements the guidelines of the U.S. Health Insurance Portability and Accountability Act (HIPAA). These guidelines ensure the protected health information (PHI) in a cloud is portable, available to healthcare practitioners, error-free, and has access control policies and standards in place.
When providing HIPAA-compliant cloud storage, you should conduct a risk assessment and ask any cloud storage provider(s) under review to conduct one as well. Possible providers should also answer the following questions:
- Do they own their infrastructure? If not, does the provider meet compliance requirements? Is the staff vetted?
- Is data encrypted in transit and at rest? In the U.S., data must be encrypted to HIPAA standards when it is uploaded to the storage server(s), on the storage server(s), removed from the cloud and downloaded from the cloud.
- Is data and equipment physically isolated and protected?
- Does the provider have a multi-tenant environment to prevent data from becoming comingled or another tenant from gaining access?
- Is the cloud colocated in a SAS 70 II or an SSAE 16 facility?
Once a cloud storage provider has been selected, it should sign a HIPAA Business Associate Agreement (BAA). This agreement details how a business associate will report and respond to a data breach, and respond to audits and other investigations conducted by the Office of Civil Rights.