Many of our customers have come to us with questions about HIPAA-compliant cloud storage. There’s a lot of marketing rhetoric online about HIPAA-certified Cloud Service Providers (CSPs) and other types of certified providers for that matter. First of all, there is no such thing as an official HIPAA certification. The Department of Health and Human Services (HHS), the organization that enforces HIPAA, does not provide HIPAA certifications, nor does it require them. This doesn’t mean that a CSP cannot be HIPAA-compliant, only that HHS does not guarantee their compliance. Also, no matter what type of certification a CSP claims to have, compliance is ultimately up to you, the “covered entity” or health services provider.
According to HIPAA, health services and health insurance providers must verify that a CSP and any third parties they might use are HIPAA compliant. Covered entities, or CEs under HIPAA, should request documentation from a service provider that shows how they will protect Personal Health Information (PHI) and prove compliance. These documents can include third party audit reports or documentation of the CSP’s processes and security features. Another important step in ensuring a CSP remains HIPAA complaint is to make sure they sign a BAA or Business Associate Agreement that clearly outlines the division of compliance responsibilities. We put together a short infographic on HIPAA-Compliant cloud storage in an effort to help health companies through the process of finding the right CSP.
Sources:
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement
http://www.healthcareitnews.com/blog/caveat-emptor-protecting-phi-cloud
http://www.hbma.org/news/public-news/n_the-truth-about-hipaa-hitech-and-data-backup
http://www.hipaahq.com/hipaa-compliant-cloud-storage-explained