HIPAA-Compliant Cloud Storage: How to Provide Security?

HIPAA-compliant cloud storage services undoubtedly benefit healthcare organizations and providers in storing and accessing electronic records and ePHI. For example, it doesn’t take up computer memory – everything is stored in one place. In this way, it doesn’t create a mess in records. In addition, the only thing needed to access ePHI is an internet connection. 

However, everything isn’t as easy as it appears for healthcare organizations and providers. Covered entities (CEs) must choose HIPAA-compliant cloud storage to manage their patient’s electronic health records securely. It is not even a matter of ethics. CEs can be severely punished for non-compliance. So, they should take it very seriously to choose a 100% compliant solution that will meet all their requirements. 

But how is it possible to find the appropriate platform? And can cloud storage be secure enough to share, store and manage ePHI? Let’s see!

What is HIPAA-Compliant Cloud Storage?

In the fast-changing IT landscape, it’s essential to acknowledge the latest trends in technologies, such as cloud solutions. Moreover, they are expected to become the IT-infrastructure benchmark underlying the constant development of electronic healthcare records and extensive data analysis activity. 

Generally, cloud storage is a cloud computing system that saves data on the net through the cloud computing supplier. This provider handles data storage as a service. Consequently, HIPAA-compliant cloud storage performs the same functions but is adjusted to HIPAA-covered entities (CEs) requirements. As a result, healthcare organizations and providers can’t simply choose cloud storage to manage their patients’ ePHI. Instead, covered entities (CEs) should use HIPAA-compliant cloud storage software to keep the health data securely and reliably.

But on the other hand, it is hard to identify whether the cloud storage software is HIPAA-compliant or not, as there is no formal HIPAA or HITECH certification. But individual service providers can adjust their products’ functions for HIPAA-compliant organizations’ needs. In this case, HIPAA compliance is only up to both sides of the collaboration. So, healthcare providers and organizations should pay closer attention to choosing the compliant solution for their business requirements.

How Does HIPAA Refer to Cloud Storages?

HIPAA-Compliant Cloud Storage

When starting a kind of “relations” with a HIPAA-compliant cloud storage solution, the provider of this service is a business associate (BA) for a covered entity (CE) that is the user of services. Therefore, as with any other HIPAA-compliant software, it is necessary to sign a business associate agreement (BAA). This agreement should include regulations about:

  • The secure transmission of data to the cloud
  • The safe storing of data
  • Providing a mechanism of thorough access monitoring
  • Recording both successful and unsuccessful tries to access data and login

So, HIPAA-compliant cloud storage should involve all these points and ensure the security, privacy, and integrity of ePHI. But, covered entities (CEs) should take care of policies and procedures development that involves the safety of HIPAA-compliant cloud storage for this data.

What Isn’t HIPAA-Compliant Cloud Storage Solution?

Sometimes cloud storage cannot offer services for HIPAA-compliant organizations. They don’t provide a business associate agreement (BAA) to covered entities (CEs). For instance, Apple Inc.’s product iCloud is not HIPAA-compliant. Also, some services could not provide total security capacities, e. g. classification of data. Thus, covered healthcare organizations and providers can’t use such solutions for ePHI storing.

Why is Classification of Data Important?

The initial significance of data classification lies in its necessity for ePHI recording and their clustering according to the level of sensitivity. A healthcare organization can provide privacy, security, and integrity of ePHI in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Also, the classification of data enables healthcare organizations to:

  • Put security measures in priority order.
  • Defend assets of the crucial significance
  • Better risk control (it refers to the estimation of data significance and the impact in the case of loss, excessive use, or compromise)
  • Simplify the legal duty to disclose information
  • Contribute to the productivity-enhancing of users

Why Should Healthcare Providers Use HIPAA-Compliant Cloud Storage?

The answer could sound quite simple. HIPAA-compliant cloud storage solutions provide a comprehensive range of tools for healthcare providers and organizations to comply with HIPAA. So, there is no need to jump from software to software and wonder whether your patients’ ePHI is secure – everything is provided in one solution. In addition, HIPAA-compliant cloud storage platforms provide users with a cost-friendly extended storage toolset that helps healthcare organizations and providers create an agile infrastructure following the requirements of tomorrow.

But the matter is not only in being up to the current requirements. HIPAA violations and non-compliance can lead to severe financial penalties that can affect your company’s budget and your reputation as a health or medical services provider. So, to avoid punishments for HIPAA violations while storing your data in a cloud, you should choose a HIPAA-compliant cloud storage provider as your business associate (BA) carefully.

What are the Penalties for Non-Compliance?

According to the HIPAA, every healthcare worker of a covered entity (CE) is responsible for securing their patients’ protected health information (PHI) and providing safety to all electronic health records. Otherwise, non-compliance with these HIPAA requirements may lead to severe financial penalties imposed by the Department of Health and Human Services (HSS) Office for Civil Rights (OCR). 

After introducing the HITECH Act, penalties for HIPAA violations were considerably raised. The price for a single breach rose from 100 dollars to about 250K dollars. For the repetition of the offense, there is a more than 1 million dollar fine. You can read more about the impact of the HITECH Act on HIPAA legislation in our recent article

So, it means that there is no way to neglect your HIPAA-compliant cloud storage provider’s choice, as the security of your patient’s data and your company’s well-being and reputation directly depend on it.

How to Ensure Security of PHI in HIPAA-Compliant Cloud Storage?

As mentioned above, under the HIPAA legislation, a cloud storage provider has to become a business associate (BA) of a particular covered entity (CE) to provide the cloud storage services. So, the only proper way to make sure that your cloud storage services provider is HIPAA-compliant is to sign a business associate agreement (BAA) with them.

About BAA

The Department of Health and Human Services (HHS) defines that covered entities (CEs) can use cloud storage providers’ services, but first, they need to sign a business associate agreement (BAA). When a provider refuses to sign this agreement, you can’t consider such relations to be HIPAA-compliant. And actually, it’s standard practice as many popular services don’t enter into BAA with HIPAA-covered entities. 

In our guide, “​​How to Sign the Business Associate Agreement Duly under the HIPAA?” you can learn more about the proper signing of the business associate agreement (BAA).

To be short, CEs and their BAs should mutually implement means of security, such as methods of data reserve copying and recovering from having a chance to address attacks and respond to emergencies, permissions control to limit access of unauthorized parties, instruments of access monitoring and audit controlling.

In addition, even though HIPAA doesn’t recognize any particular methods or tools of a cloud data store, encryption is always welcome. This method heightens the level of data security in a cloud, as it makes PHI impossible to read and, as follows, infeasible to use by unauthorized users. HHS states in its guidance that data should be encrypted both in dormant and transition states. Also, it points out that encryption methods should meet the National Institute of Standards and Technology (NIST) standards.

Thus, a HIPAA-compliant cloud storage service provider should undertake all measures mentioned above to comply with HIPAA Security Rule. Nevertheless, it’s vital to sign BAA with the provider before downloading any sensitive data to cloud storage.

The Best HIPAA-Compliant Cloud Storage Solutions

HIPAA-Compliant Cloud Storage

We’ve prepared a list of storage solutions to ease your agonies of choosing the right HIPAA-compliant cloud storage solution to meet your business needs. You can also find cloud ones with a brief overview, pros and cons, reviews, and rates. So, there’s no need to search everything on your own; click on whatever solution you like, compare, contrast, and decide!

But here is a short review of three HIPAA-compliant cloud storage solutions that gained the highest marks from our users. We’re sure these tools will meet any business requirement. So, here you are:

1. Dropbox

This cloud storage system provides a business associate agreement (BAA) to CEs and offers HIPAA-compliant cloud storage for sensitive health data. In addition, the tool suggests different means of supervisory oversight involving users’ accessibility and activity reports. Dropbox also provides a possibility to check and delete connected devices and make a two-step authorization for better security. 

2. Box

This solution involves access monitoring, reports, and audits for users and content. I also offer granular permission and authorization. The tool can assist users in safe file sharing through the protocol of direct message exchange and gives a possibility to look through the DICOM files securely. These files include X-ray images, computer tomography scans, and ultrasound examinations.

3. Cloudian

This Silicon Valley-based tool allows organizations to store, search and secure data across websites within a cloud storage environment. In addition, Cloudian has comprehensive safeguards, such as FIPS 140-2 and Common Criteria, and compliance certifications with SEC 17a-4, FINRA, CFTC, etc. 


To sum up, HIPAA-compliant cloud storage is a new reality for covered entities (CEs). Although not all cloud storages provide services for HIPAA-compliant organizations, many such services are available. But before handing your patients’ electronic protected health information (ePHI) to the cloud service provider, it’s vital to sign a business associate agreement (BAA). All relations within this contract can’t be considered HIPAA-compliant. And also, while signing the agreement, both parties must distinctly remember their mutual responsibility in the process of patients’ ePHI protection. Data encryption is a great choice to be on the safe side in this situation.

So, healthcare organizations and providers must remember that the privacy and security of their patients’ ePHI and electronic health records are only up to them. Hence it’s essential to be careful in choosing an appropriate HIPAA-compliant cloud storage service provider and remember the number of penalties in case of violations.

If you have any questions regarding the choice of HIPAA-compliant cloud storage for your business, feel free to contact us!

We will be happy to hear your thoughts

Leave a reply

Register New Account
Reset Password
Compare items
  • Total (0)