Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

How to Ensure HIPAA Compliance While Storing PHI on the Cloud

For healthcare companies, cloud data storage is a popular and practical alternative. The worldwide Healthcare Cloud Computing industry is projected to expand at a 14 percent annual pace, reaching $40 billion by 2026.¹ Convenience, decentralization, and, in most cases, improved dependability and security are all advantages of cloud data storage.

The cloud provides a safe platform for businesses to host some or all of their computer infrastructure. Making use of cloud hosting companies’ cutting-edge technologies may offer greater security than an on-premises solution. Given that data protection is a key component of HIPAA regulations, the issue is whether HIPAA compliance can be achieved using a public cloud provider.

HIPAA Regulations: What Do They Require?

The security and privacy of protected health information (PHI) are at the forefront of HIPAA compliance discussions. PHI must be managed according to two major rules. The HIPAA Privacy Rule as well as the HIPAA Security Rule are the two rules. Some terminology must be explained in order to fully comprehend the intricacies of these rules and how they can best be observed.

  • Protected health information (PHI) refers to any medical data that includes identifiable components like a patient’s Social Security number and name. PHI that is kept digitally is referred to as ePHI (electronic PHI).²
  • Covered Entities are organizations that handle ePHI or PHI on a daily basis. The HIPAA standards, which are regulated by the US Department of Health and Human Services (HHS), must be followed by these organizations. Clearinghouses, health plans, and healthcare providers, such as health record transcription services are all Covered Entities.
  • Business Associates (BAs) assist Covered Entities in the management of PHI and ePHI. They must also adhere to HIPAA’s security and privacy standards.
  • The HIPAA Security Rule is the cornerstone of HIPAA regulations, outlining three sets of protections that must be followed when establishing policies and processes that handle PHI and ePHI.
    • Administrative safeguards describe how organizations document and implement rules to comply with the HIPAA Security Rule’s requirements. Employee training is included to ensure that employees are aware of what they may access and how they would utilize PHI.
    • Physical safeguards describe the physical restrictions that have been put in place in relation to any devices or storage spaces that hold personal information. It includes making sure third-party specialists needed to repair PHI-storing equipment are properly trained, ensuring that changed or obsolete ePHI media is safely destroyed, and restricting access to devices with ePHI to authorized personnel.
    • The technological features of computers and devices used to transmit or store ePHI securely are referred to as technical safeguards. At the very least, systems must incorporate improved network security, firewalls, and robust authentication methods. 

The Covered Entities and Business Associates who are required to follow HIPAA rules are very diverse. Small private clinics without in-house information technology (IT) assistance are among them. Large companies with specialized data centers are among the others. The requirement for a HIPAA compliant solution for processing PHI is something that these very diverse organizations have in common. For a solution, many of them go to the cloud.

A HIPAA Compliant Cloud Hosting Solution’s Ingredients

Medical software development has to comply with a number of regulatory guidelines.³ The cloud has emerged as a viable alternative for many businesses trying to comply with HIPAA regulations. However, not all cloud systems are capable of fulfilling the HIPAA Privacy and Security Rule’s protections. Some of the critical server characteristics needed to offer customers with a HIPAA compliant cloud hosting service are as follows:

1. Server Uptime Agreement

A high-availability infrastructure with an uptime service level agreement (SLA) will safeguard you if the operator fails to keep the system up and running. The majority of firms in the healthcare sector are unable to withstand a prolonged outage. Insisting on server uptime in the agreement helps to avoid unpleasant shocks later.

2. Security Firewall

The addition of a fully managed security firewall to the server hosting guarantees that unwanted access to your system is prevented. Next-generation firewalls (NGFWs), circuit-level gateways, application-level gateways (proxies), stateful inspection firewalls, and packet-filtering firewalls are the five primary kinds of firewalls, according to the US Department of Commerce’s NIST firewall guidelines as expanded by TechTarget.⁴ Making sure that only authorized employees have access to PHI is a key element of safeguarding its privacy and security. 

3. Location Dependence

It’s also crucial to get detailed information on the technology’s location. Hosting a server in eastern Europe, for example, may be troublesome if your business is located in the United States and your data gets hacked. If you allow your data to be kept in a foreign country, the laws of yours will not always protect you.

4. Data Encryption

HIPAA compliance necessitates the use of encrypted and robust virtual private networks (VPNs). To adhere with HIPAA regulations, data must be encrypted during transmission. Because you must either encrypt at rest or use an alternative, encryption at rest is also considered excellent practice.

5. Offshore Data Backups

To properly secure electronic health records and guarantee that systems generating ePHI can be restored promptly and without data loss in the event of a failure, onsite and offshore data backups are required. Offsite backups should be kept in the country where the business is situated. Backups must also be encrypted to prevent unauthorized users from accessing PHI stored on backup media.

6. Malware Protection

Anti-malware protection is an essential feature to look for in your cloud hosting providers. Maintaining a malware- and virus-free environment is critical to providing PHI with the degree of protection it needs.

7. Multi-Factor Authentication

Multi-factor authentication is more secure than using a basic user ID and password to get access to protected systems. This safeguard prevents the possibility of illegal access due to weak passwords.

8. Data Segregation

A HIPAA compliant environment must be separated from your cloud hosting provider’s other clients. Experienced suppliers are better equipped to create a secure environment that protects PHI while keeping you in compliance with HIPAA regulations. Avoid having your information kept on servers that are shared with other businesses when negotiating with a hosting provider to prevent contamination from neighbors. This is often referred to as shared hosting. If you use any software as a service (SaaS) solutions, be sure to inquire about how your data is segregated.

9. SSL certifications

Secure Sockets Layer (SSL) certificates are required for all servers, domains, and subdomains that include ePHI in your systems.

10. Signing BAAs

A Business Associate Agreement (BAA) is available to specify the responsibilities of your partners in safeguarding your PHI. This agreement does not absolve Covered Entities of their obligations to safeguard PHI, but it is helpful in defining the roles that each business plays in the case of a data breach.


The cloud may offer a secure and HIPAA compliant environment for generating PHI if done properly with the help of an expert provider. To guarantee that all bases are covered, get a checklist from a reputable provider. If a certain supplier is unable to fulfill the requirements outlined in the checklist, look for a better option that can provide the HIPAA compliant atmosphere you need.

Contributed by Rahul Varshneya.

Rahul Varshneya is the co-founder and president of Arkenea, a custom healthcare software development company. Rahul has been featured as a technology thought leader across Bloomberg TV, Forbes, and HuffPost, Inc., among others.

  1. Healthcare Cloud Computing Market to Hit US$ 40 Bn by 2026
  2. What is Protected Health Information (PHI)?
  3. What Are The Official Guidelines For Medical Software Development
  4. The 5 different types of firewalls explained

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.

Want to know more about how you can become HIPAA compliant?

Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)