Article by Marlene M. Maheu, Ph.D.
As computer hard drives are getting overloaded with information, behavioral professionals are beginning to wonder which companies to trust with their client/patient information. Many data storage companies have developed robust services that clearly identify their status with regard to HIPAA compliance. This article then, is about several such companies, and a couple more who fail to pass muster.
While it is always possible to purchase an external hard drive to store your excess data, you may decide that cloud storage affords you many advantages, including the ability to access your data anywhere, anytime and from any device. Another big advantage to cloud storage with a proper service is their ability to help you protect your information from theft, corruption and inaccessibility. They should also offer you the legal protections of Business Associate’s Agreements (BAA) to safeguard “Protected Health Information” (PHI) if you are a covered entity – and even if you are not.
See my earlier blog posts about many states requiring privacy and security of client an patient data beyond those needed by HIPAA. Related HIPAA rules also require a few other processes that have to do with your policies and practices and not just the standards needed for technology you might purchase. Read below.
Companies that Claim to Offer HIPAA Compliant Services
Amazon – Amazon S3 is not HIPAA compliant out of the box, but Amazon AWS can be used to create HIPAA-compliant cloud storage. Amazon gives you dedicated servers and a BAA, but you have to configure it yourself. This white paper is available for directions on how to create HIPAA-compliant information processing systems in the Cloud. The paper focuses on the HIPAA sections: The Privacy Rule and The Security Rule, and how to encrypt and otherwise protect your data.
BlackBlaze – This service allows you to store and protect then restore a single file, a folder or all your backed up files from a web browser for free. There is an option to have a 128 GB flash drive FedEx to you or an external drive up to 3 TB for an additional fee. You can also access your files with the iPhone app. Here is their security page. Mac users will be happy to note that this software is accessible from Mac or IOs systems.
Box – This service claims to meet the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling. They signs BAA addendums for customers who have an Enterprise or Elite account. As with some of the other services in this group, customers are responsible for configuring Box in a HIPAA compliant manner and for enforcing policies in their organizations to meet HIPAA compliance. Details of HIPAA and HITECH compliance are here.
Carbonite ProPlan – This service is available for businesses that need protection for unlimited computers and HIPAA Compliance.
CareCloud – Uses security data centers in multiple locations and protected by armed security personnel. Having your data securely stored in multiple places eliminates the risk of catastrophic data loss due to natural disaster, theft or sabotage. See their security information here.
Crashplan – CrashPlan PRO boasts an easy-to-use desktop and uses 448-bit Blowfish encryption, one of the most robust encryption methods available. Files are encrypted before they leave your computer and then transferred to their servers using 128-bit Advanced Encryption Standard (AES) protocol.
Egnyte – Egnyte’s “enterprise” product is for businesses seeking HIPAA compliance. They are willing to sign a BAA.
Google Drive – As of September 2013, Google Apps for Business allows a domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. Being HIPAA-compliant isn’t as easy as opening any one of these accounts on any one of these services, but if your domain administrator can disable all other Google Services from the domain and make sure you keep appropriate password policies, etc, then Google Drive can be rendered HIPAA compliant for cloud storage.
Symform – Focusing especially on backup and disaster recovery, Symform is another enterprise cloud storage service that is willing to sign a BAA and claims to be HIPAA compliant. They provide several links to several whitepapers on their site.
What about DropBox and iCloud?
iCloud –Apple refuses to sign a BAA, so your information is not protected or compliant with your requirement by HIPAA in iCloud. This service might be useful for storing
Dropbox– Dropbox is not HIPAA compliant. A close reading of HIPAA will show that it requires all aspects of a PHI file — even the name, which can potentially hold identifying information — be encrypted and private. Dropbox as a company has policies which render it non-compliant with HIPAA in a number of areas. For instance, DropBox keeps “metadata,” which includes the file name, rendering it insecure. HIPAA also requires audit controls, which DropBox does not offer.
What Else?
HIPAA also makes it clear that your obligations as a covered entity do not just stop at selecting an appropriate service. The HIPAA Omnibus Rule of January 2013 states that even with a signed BAA, the burden falls on you to secure your data, even when hosted at a HIPAA compliant cloud storage provider. You also must be in compliance with any local, state requirements that supersede HIPAA. Several states have such requirements, including California, Texas and other “consumer protection” states in the US. Many non-US countries have comparable requirements.
These are the some of the processes that must be encrypted to standards defined by HIPAA in the US:
How you upload data into your storage server(s) must be encrypted to HIPAA standards.
While on the storage server, your data must be encrypted to HIPAA standards.
How you remove data from the cloud must be encrypted to HIPAA standards.
All data downloaded from the cloud must be encrypted to HIPAA standards.
How can you go wrong?
This is an area where what you don’t know can hurt you. HIPAA requires that you know what you are doing and that you conduct regular risk assessments. The Office for Civil Rights and the Office of the National Coordinator for Health IT have released a free tool to help you assess this risk. See our TMHI blog post about this risk assessment tool. Ignorance is not a defense.
Let’s say you store files on any one of the popular storage companies and arrange to receive email notification that your file has properly been transferred or stored. If you receive that notice in your non-encrypted email box, you have created a vulnerability. Those security vulnerabilities are how you can inadvertently create HIPAA violations.
As we teach in our Certificate training program, as the covered entity, you need to be in compliance with HIPAA on many fronts, including the services you buy, how you assess your risk, and the HIPAA policies you develop.