Following these rules will ensure cloud storage of personal health information meets compliance standards and remains secure
The COVID-19 pandemic has accelerated the adoption of digital healthcare solutions among patients, providers, hospitals, and insurance agencies. Experts project that the global market for cloud-based healthcare solutions will reach nearly $90 billion by 2027 as people continue to expect digital solutions for care, such as telehealth, the ability to book appointments online, and the electronic delivery of medical information.
As a result, healthcare organizations are looking to the cloud to meet their patients’ needs. To successfully make the transition, development teams must meet HIPAA data storage requirements outlined in HIPAA’s Privacy and Security Rules. Read on to find out which criteria are necessary for HIPAA compliance, the consequences of failing to meet those requirements, and recommended tools for data storage within the cloud.
HIPAA data storage requirements
The U.S. Department of Health and Human Services’ summary of the HIPAA security rule requires “covered entities” to “maintain reasonable and appropriate administrative, technical, and physical safeguards” to secure electronically-protected health information (e-PHI). These “covered entities” include hospitals, health plans, clearinghouses, providers, as well as business associates who come in contact with e-PHI on behalf of the covered entity, including cloud service providers.
Within the security rule, HHS provides four specific HIPAA storage requirements that covered entities and business associates must meet to comply with HIPAA regulations. These include:
- Ensuring the confidentiality, integrity, and availability of all e-PHI through encryption, password protection, and other protection measures.
- Identifying and protecting against reasonably anticipated threats through regular monitoring and risk analysis.
- Protecting against reasonably anticipated impermissible uses or disclosures with safeguards such as IT security protocols, IAM, restricting physical access, and regular audits of internal processes.
- Ensuring compliance by the workforce through regular training and adherence to rules set by HIPAA enforcement officers.
While these requirements apply to any source of e-PHI, HHS has also provided additional guidance regarding using cloud computing services for data storage. This document lays out other rules, such as the requirement of a business associate contract or agreement (BAA) between covered entities and the cloud service provider, the allowance of accessing e-PHI from the cloud via a mobile device, and other important information.
These requirements provide a high-level framework for organizations to apply to their data storage implementations. HHS recognizes that covered entities vary in size and scope of data they collect, and the security rule will scale as entities determine which security measures fit their size and budgetary needs.
HHS.gov contains more explicit language regarding properly implementing the HIPAA Security Rule to safeguard e-PHI. Additionally, HHS provides additional breakdowns on the full definition of protected health information, and how to submit notice in case of a breach.
As many security guidelines overlap, many organizations may opt to meet HIPAA guidelines by adhering to PCI-DSS or HiTrust. These specifications are more stringent than other standards, formed from a super-set of requirements set forth by SOC 2, GDPR, HIPAA, and other standards. Discover how DuploCloud guarantees HIPAA compliance through controls mapped to PCI-DSS by reading our whitepaper, which also provides a policy-by-policy breakdown of the HIPAA compliance controls matrix.
Did you know? The ease of achieving HIPAA compliance is one of many insights gained in our survey of 500 IT specialists working in healthcare. Read the full report to see how modern healthcare services are leveraging cloud automation.
Penalties for failure to achieve HIPAA cloud compliance
Covered entities and business associates who fail to achieve HIPAA compliancy in the cloud are subject to fines based on the infraction's severity, regardless of accidental or willful negligence.
The HIPAA Enforcement Rule breaks down the monetary value of each fine by the level of negligence.
- Person or organization could not have known they violated HIPAA: minimum $100 per violation, up to $50,000 per violation.
- Person or organization should have been aware of HIPAA violation with reasonable cause: minimum $1000 per violation, up to $50,000 per violation.
- Person or organization willfully neglected HIPAA regulations but attempted to correct the violation: minimum $10,000 per violation, up to $50,000 per violation.
- Person or organization willfully neglected HIPAA regulations and has not attempted to correct the violation: minimum $50,000 per violation.
Individuals may face imprisonment if the infraction is severe and knowingly conducted with criminal intent. The HIPAA Privacy Rule describes the following criminal penalties:
- Knowingly obtaining or disclosing PHI: Up to a $50,000 fine and up to one year of imprisonment.
- Knowingly obtaining or disclosing PHI under false pretenses: Up to $100,000 fine and up to five years of imprisonment.
- Intent to sell, transfer or use PHI for commercial or personal gain or malicious harm: Up to $250,000 fine and up to 10 years imprisonment.
In addition to the consequences HIPAA lays out, organizations that fail to meet these requirements will face unquantifiable consequences, such as damaged reputation and loss of current or future business opportunities.
Learn more about the rules, regulations, risks, and benefits of healthcare cloud computing with Cloud Computing in Healthcare: A Comprehensive Guide.
Recommended HIPAA data storage tools
DevOps automation: DuploCloud
Migrating data into cloud storage is a complex, arduous process. Setting up the necessary configurations requires thousands of lines of code which can take weeks or even months to complete. Plus, teams without cloud-based experience can introduce errors into their configuration, leading to unnecessary downtime, failed compliance checks, and degraded security measures.
DuploCloud is a no-code solution that automates many of these standard configuration steps according to PCI-DSS standards, which ensure adherence to compliance protocols, including HIPAA, SOC-2, GDPR, and more. By stitching together the numerous security tools and cloud APIs, DuploCloud can construct a fully compliant and secure infrastructure ten times faster than manual integration, with a 70% cost reduction. DuploCloud also provides continuous compliance checks and audit-ready reporting post-go-live, saving hundreds of hours of labor during the audit process.
Read our latest whitepaper to learn more about how DuploCloud builds HIPAA-compliant cloud infrastructure.
File sharing: Dropbox Business
Dropbox has made sharing files easy for years, and the company offers solutions to ensure healthcare professionals can do the same while remaining HIPAA-compliant. In addition to offering a signed BAA, Dropbox also offers configurable file sharing permissions, multi-factor authentication, and the ability to disable permanent deletions to ensure the presence of a digital paper trail.
Dropbox also offers third-party integration to add additional SIEM, DLP, and identity management checks to increase security, monitoring, and risk assessment capabilities.
Data backup: Carbonite
Carbonite is known for providing quality home and professional cloud data backup services, and its Endpoint solution is also HIPAA compliant. Endpoint uses a 256-bit AES encryption layer for data at rest and Transport Layer Security for any information sent through the internet. Carbonite also provides a central management dashboard, allowing teams to monitor access, determine the frequency of data backups, the time between purges, and the ability to delete sensitive data on lost or stolen hardware remotely.
Build HIPAA-compliant cloud infrastructure from day one
Ensuring cloud HIPAA compliance from the start will keep data secure from unauthorized access, protect your organization from legal headaches, and give clients and users peace of mind. DuploCloud can help build that infrastructure from day one with its no-code/low-code DevOps-as-a-Service platform, meeting all HIPAA’s stringent requirements for full compliance. Read our PCI and HIPAA compliance whitepaper to discover how DuploCloud can automate security and compliance control integration to speed up deployment times by a factor of ten.
