Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

Is Your HIPAA Security Plan for Cloud Computing Bullet-Proof?

Summary:

When HIPAA laws were first established in 1996, large-scale cloud storage was in its infancy. Today, it would be hard to imagine business without cloud technologies. The HIPAA Privacy and Security Rules don’t directly address how to incorporate them into your compliance plan, however, this is where you could be vulnerable as healthcare data has […]

When HIPAA laws were first established in 1996, large-scale cloud storage was in its infancy. Today, it would be hard to imagine business without cloud technologies. The HIPAA Privacy and Security Rules don’t directly address how to incorporate them into your compliance plan, however, this is where you could be vulnerable as healthcare data has become increasingly more valuable to hackers.

Some of the most common uses of cloud services include

  • Storing files and retrieving them from any web-enabled interface;
  • Disaster recovery that is faster and more cost-effective than using fixed assets
  • Backup that never runs out of space

Cloud Storage

Cloud storage isn’t something you own, it’s something you use. It is provided by a third party; therefore, selecting the right service provider is of the utmost importance. If you turn to the cloud for these services, here are some of the things to consider if you are transferring or storing ePHI:

  1. Risk Assessment – You should include your cloud storage provider in your HIPAA Risk Assessment. This is an effective way to determine and document that your provider meets all of your HIPAA protocols.
  2. BA Agreement – Your storage provider must be willing to sign and abide by a Business Associate Agreement. If they won’t sign an agreement, it’s time to find a new cloud storage solution. Ask questions that validate the cloud provider understands the need to back-up data, protect the integrity of the information and have it available 24/7.
  3. Encryption – It’s not a question of do they encrypt data, but what standard do they use? Your provider should be using a minimum of 128-bit encryption and encrypt all files in transit, storage and rest. Verify the encryption keys are protected as well. As a best practice, the key management system should split the encryption key between at least two entities.
  4. Logging- Your provider should be able to produce a log of who accessed what files when. This is an important requirement for you to be HIPAA Compliant.
  5. Access Levels- Your provider should allow you to designate access levels for information. Not every employee needs access to every document, and this also allows you to deny access to employees that quit or are terminated.
  6. Audit Report – Cloud storage providers should produce an annual HIPAA audit report conducted by a reputable third party that you can review. Ideally the audit follows the Office of Civil Right HIPAA Audit Protocol.

Cloud computing is a trending solution that makes sense for most most practices and businesses. When used properly, it can help protect the PHI you store, and save you time and money on your path to HIPAA Compliance.

Have more questions about HIPAA Compliance, contact us here.

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Is Gmail HIPAA Compliant Email? – Well, It Can Be!

Is Gmail HIPAA Compliant Email? – Well, It Can Be!

To use Google Workspace with Protected Health Information (PHI), you must enter into a Business Associate Agreement (BAA) with Google. However, a signed BAA is only the first step. To satisfy the Office for Civil Rights (OCR) modernized Security Rule standards, Covered Entities must properly configure their email settings, utilize end-to-end encryption, and account for new tech, like integrated AI. This guide covers how to secure your Gmail account and the critical configuration steps required to maintain compliance.

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Yes, HIPAA protections continue long after a patient has passed away. Under the HIPAA Privacy Rule, Protected Health Information (PHI) remains safeguarded for 50 years following the date of death. During this time, the same privacy standards apply, though specific exceptions allow for disclosures to executors, funeral directors, and family members involved in the patient’s prior care.

HIPAA Compliance: A Constant Pulse, Not an Annual Event

HIPAA Compliance: A Constant Pulse, Not an Annual Event

Even though people talk about an “annual HIPAA audit,” compliance isn’t just a once-a-year task. To stay compliant, organizations can’t just “set it and forget it”; they need to constantly manage risks. Staying on top of things is the only way to be ready for an audit at any time.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)