Most healthcare organizations are already familiar with HIPAA-compliant cloud storage providers like Sync.com, Google Drive, Microsoft OneDrive, Dropbox Business, and even Box.com.
But how do you know…
- Which HIPAA compliant cloud storage STAYS compliant with US healthcare laws?
- Which storage is right for you and your healthcare employees, subcontractors, clients and patients?
- What features benefit your organization the most?
Well…that's exactly what I'll guide you through in this comparison! Let's dive in!
Top 6 Best HIPAA Compliant Cloud Storage Services in 2021
1. Sync.com (Overall best HIPAA-compliant cloud storage)
- Sync is HIPAA compliant so it meets all the security standards set by the US government
- Sync.com keeps your protected health information (PHI) private and secure.
Sync.com is a HIPAA compliant cloud storage solution for healthcare professionals who need the ability to securely store, share and transfer PHI data in line with federal compliance requirements. Sync allows patients’ medical information to be accessed from any computer or mobile device through its secure web portal while also providing you complete control.
Sync is easy to use and very secure. Sync encrypts your files on your device before uploading them so that no one can access or see your information without having physical access to the devices you're syncing from. Sync also allows for real-time collaboration with other people, so you can all work on the same file at once!
The Sync Business Solo and Business Pro are the only plans that are HIPAA compliant.
- Keeps your protected health information (PHI) private and secure.
- All data stored on servers is encrypted using zero-knowledge, meaning Sync is unable to decrypt any PHI stored on its servers
- File versioning that keeps track of all document versions and changes
- Share and collaborate files and documents securely, from anywhere
- Meets HIPAA compliance – download the Business Associates Agreement (https://www.sync.com/pdf/sync-hipaa-baa.pdf)
- Limited sync folder options, and limited integration with third-party apps
Visit Sync.com to learn more about their HIPAA and PHIPA compliant cloud storage.
2. Microsoft OneDrive (Trusted HIPAA cloud storage service)
- Business Associate Agreements (BAAs) automatically provided for signatures
- Easily available audit reports
Microsoft OneDrive has it all. Microsoft provides data loss prevention tools to help data security experts of hospitals and healthcare providers keep track of the data stored in your servers.
But It's More Than Simple Tracking
Besides robust security controls, Microsoft OneDrive offers more than just file storage. It protects even your email and calendars, too!
And they're all equally protected. As soon as you express your need for HIPAA compliance, Microsoft will send a business associate agreement for signing.
Worry Less About Data Breaches
The BAAs cover not just patient information stored in the cloud. It includes protection for your mail, storage, and calendars as well.
This means healthcare providers can exchange relevant information about their patients without risking a data breach.
If you want to assess your entity's HIPAA compliance, it's as easy as requesting an audit report from Microsoft's Trust Portal.
While you make audit requests through the trust portal, it's actually independent third parties who conduct the audits themselves. That means you have an extra layer of protection when analyzing.
The downside for all of this? It can get expensive. If you want all layers of security while using OneDrive, it will cost you $35 per user per month. If you're a large organization, the price can build up real quick.
Is Microsoft OneDrive Right For Your Health Care Organization?
Microsoft offers everything that a healthcare organization needs to store data, exchange messages, and transmit information between healthcare providers and patients.
Sometimes that's all your organization might need! And you get all of these services securely with all the HIPAA documentation and resources provided by Microsoft – plus easy audits, to boot!
- Easy, hassle-free HIPAA compliance standards
- Comprehensive suite of cloud storage services
- No-fuss audit requests
- Can get expensive quickly
- Microsoft OneDrive alternatives
3. Box.com (HIPAA-compliant file sharing & cloud storage)
- Unique protocols specific for healthcare applications
- Complete HIPAA compliance documentation
Box.com is one of the most popular HIPAA-compliant cloud services for healthcare. Boasting clients like Cedars-Sinai, Kaiser Permanente, and UCLA Health, Box is comprehensive for the industry's needs.
A Step Higher Than Mere Storage
Being HIPAA-compliant is one thing. But offering healthcare-specific messaging protocols is another. While other cloud storage providers merely store data on the cloud, Box goes one step further.
If you need your personnel or patients to securely view industry-specific imaging files like X-rays, ultrasounds, and CT scans, Box has the answer: a DICOM-specific messaging protocol.
Did We Also Forget to Mention How Secure and Awesome Its Features Are?
This is probably the best reason why a covered entity should choose Box: the Box DICOM protocol allows users to share and analyze imaging data from any device, anywhere, through a secure platform.
That means your patient can view his or her X-rays from the comfort of the home, without risking any data leaks.
Is Box Enterprise Right For Your Hospital?
The Box suite of services, like workflow streamlining and sharing, makes it easy for healthcare professionals to collaborate on any groundbreaking treatment.
Overall, that means you can provide the best care for your patients with Box as your cloud provider. The biggest downside? It's expensive and better suited to larger healthcare organizations with a larger budget.
- HIPAA compliance is simple and easy
- Sharing and analyzing data is convenient, even at home!
- Specialized applications for a healthcare covered entity
- Dropbox vs Box comparison
4. Google Drive (Best budget alternative)
- If you've been using the Internet for a while, then you must be no stranger to Google Drive.
- It's a HIPAA-compliant cloud backup service with comprehensive coverage for all your needs.
It Goes Beyond a Budget-Friendly Storage Solution
And it's not just cloud storage where Google Drive shines. Google Drive is just one part of the entire G Suite service – which covers all Google Cloud services like Docs, Sheets, and Slides.
To make G Suite HIPAA compliant, you'll have to request a BAA from the company that bought the G Suite account.
Usability? It's a No-Brainer!
If you've used any Google apps before, then you know how easy it is to use! You can set privacy permissions for every document stored on your Drive, and your emails are all encrypted.
The best part? Google Drive is more affordable than a lot of enterprise cloud storage service options out there! It's just $5 per user for the basic 30GB plan.
If you're a larger healthcare provider and you'll need to up your storage, you can always choose to upgrade to unlimited storage at just $10 per user. How's that for cost efficiency?
Is Google Drive Right For Your Health Care Organization?
If you're worried about your hospital or organization migrating to the cloud, Google is a great place to start. Everyone knows Google! It's fast, easy to use, and mobile-compatible.
Even with all the convenience of Google, it still has top-of-the-line security features. That means you don't have to worry about HIPAA compliance!
- Intuitive, easy to use interface
- Easy migration, even for technologically-challenged doctors
- Services aren't as comprehensive
- Better Google Drive alternatives
5. Dropbox for Business (Popular HIPAA / HITECH cloud storage)
- Dropbox isn't HIPAA compliant “out of the box”
- Healthcare organizations can use Dropbox to share or store files containing protected health information
- Sharing permissions should be configured before signing a BAA – you need to set up your account to keep data like PHI secured (how-to guide here)
Dropbox's enterprise cloud services might be up your alley. It has one of the easiest to use cloud storage interfaces, so your organization can easily adapt to the cloud.
It's affordable at $12.50 for five users for a month, so it's one of the most cost-efficient storage services available. And did we mention that it offers unlimited storage?
HITECH AND HIPAA Compliant
What about HIPAA compliance? That's no problem, too! Dropbox can easily become HITECH and HIPAA-compliant, and one quick message to their sales team will have your BAAs sent to you in no time.
It's easy to set user access permissions per file. You'll find everything you need to get started with compliance in the Dropbox whitepaper on HIPAA!
But Take Note!
Here's the catch: if you need a whole suite of products – from messaging to email – you might want to consider another service.
While Dropbox has third-party integrations, it becomes difficult to manage HIPAA compliance with each third-party app. It's a separate process of HIPAA compliance and BAA signing per app.
Is Dropbox Business a Good Choice For You?
Dropbox is an ideal solution for a covered entity that needs data storage.
While it's not the most comprehensive service out there for anything other than storage, that's all you need, sometimes especially if you're just starting out.
- No-nonsense, HIPAA-compliant cloud storage
- Unlimited storage
- Not great for other services like messaging
- Dropbox competitors that offer better security might be a better option
6. Amazon AWS (Best value on-demand cloud platform)
- Large suite of AWS cloud services with PHI protection
- Robust documentation and architecture examples for compliance
If you need a more versatile option for your cloud computing needs, look no further. Amazon AWS offers more than just a cloud storage service.
Integrate Your ENTIRE Website
Besides file storage and backups, Amazon AWS also offers object storage through Amazon S2 – so you can integrate your hospital's website to the entire Amazon AWS cloud computing ecosystem.
If data storage and cloud storage aren't enough, AWS has a large suite of services – from API to cloud computing – which all provide encryption for patient data.
Just ask large players in the healthcare industry, like Philips, Orion Health, and Siemens, who all use AWS in their cloud computing systems.
It's also HIPAA-compliant, and the service presents a standard BAA to customers for signature.
After signature, Amazon then designates certain services as HIPAA-eligible where you can store and transmit protected health information (PHI).
Check This Out If You Want Higher Security
Besides HIPAA compliance, AWS also manages security risks by following the SP 800-66 Resource Guide provided by the NIST, which is a higher security standard aligned with HIPAA.
As a bonus, you can also avail of Amazon HealthLake if your organization is interested in storing, transforming, querying, and analyzing health data at a petabyte scale. It's a useful database to have.
Is Amazon AWS Right For Your Hospital?
Do you need something more robust and comprehensive than just storing data? Then Amazon is the best HIPAA-compliant cloud storage solution for you.
Besides storing your organization's files, you can also manage databases of your patient's information, as well as manage data access to ePHI whenever needed.
- Higher protection than what HIPAA requires
- Several large industry players use the service
- Comprehensive documentation for HIPAA compliance
- Complicated to use for basic services
A Quick and Easy HIPAA & HITECH Crash Course
If you're a healthcare provider, you're probably already aware of the Health Insurance Portability and Accountability Act of 1996, or the HIPAA.
The HIPAA was made so that patients don't lose insurance when moving between jobs (“healthcare portability”), and also to feel safe when availing healthcare services due to the privacy rule.
The HIPAA restricts and protects the confidentiality of patient health information, or PHI, to limited individuals. It also punishes unauthorized disclosures of patient information.
What's HITECH? How is it different from HIPAA?
The HIPAA was made back in 1996 – way before cloud service solutions became popular for healthcare providers.
With new technology comes new risks. And avoiding those risks was exactly what the HITECH – or the Health Information Technology for Economic and Clinical Health Act – sought out to do in 2009.
It's actually the HITECH Act we have to thank for the privacy rule as it applies to health records and patient data. The HITECH Act added these very important rules which complement the HIPAA:
- Business associates are now directly accountable for violating any rule under HIPAA.
- Associates are now required to sign a Business Associate Agreement with covered entities under the HIPAA Privacy Rule.
- The HITECH increased the penalties for violating the HIPAA.
- Patients now have the right to obtain electronic copies of their medical records.
These are just some of the most important parts of HITECH and how it's different from HIPAA.
But if you're looking for cloud storage providers, you want a service that complies with both laws.
That's because the HIPAA and the HITECH are complementary and are meant to work together. The HITECH just added updates to the HIPAA to update the medical industry to the 21st century.
What Is a BAA?
When you're looking for a cloud storage solution, you might have seen providers state they are “HIPAA Compliant” and “provide a BAA for signing.”
But what is a BAA anyway? To know more about that, here's a rundown of all the parties involved in both the HIPAA and the HITECH laws:
Covered entities are exactly who we think about when we say “healthcare.”
These are your health care providers, like doctors; your health plan, like insurance companies; and a health care clearinghouse, or those that process health care information.
You might not think of an accountant or a law firm when you say “healthcare,” but they're just as accountable for your health-related information.
A business associate performs functions that are related to the disclosure of information of covered entities or provides services to a covered entity.
So even if your business has nothing to do with patients, you're still a business associate if you have insurance companies or hospitals or doctors as your clients.
This also means that the cloud storage services used by hospitals, insurance companies, or even just regular doctors, dentists, and chiropractors, are all “Business Associates” under the HIPAA.
So, What Is a BAA?
A business associate signs a written BAA, or a “Business Associate Agreement” while covered entities hold BAAs accountable for disclosure, transmission, and use of protected health information (PHI).
And if you want to use a cloud service provider, you need to sign a BAA with the cloud service provider before you can store electronic PHI (ePHI) in their cloud servers.
A good Business Associate Agreement should have all of these provisions:
- When the business associate can disclose and/or use the PHI;
- A promise not to use or disclose PHI unless the law or the BAA says they can;
- Safeguards to prevent unauthorized use or disclosure of PHI;
- A promise to report any unauthorized use and breaches of unsecured PHI to the covered entity;
- A requirement that the associate should disclose the PHI to satisfy the covered entities' obligation to a patient's request for PHIs;
- A requirement for associates to destroy PHIs after the BAA is terminated;
- Require subcontractors who can access the PHIs to agree to the same conditions that the associates did; and
- Allow a covered entity to terminate the BAA if the business associate violates the BAA.
A HIPAA-compliant cloud storage provider should provide a BAA for covered entities to sign or agree to, so you can protect patient health information in the cloud drive of these providers.
Is There Such Thing As A “HIPAA-Certified” Cloud Storage Provider?
While cloud service providers can be “HIPAA-compliant,” there is no HIPAA certification in the United States under the HIPAA or the HITECH.
What you can do instead is to take a look at the features of your service provider to check if these cloud storage solutions provide the protection you'll need.
What to Look for When Searching Cloud Storage Providers
Most HIPAA-compliant cloud storage services offer more than just data storage.
They also give organizations a way to share ePHI between different departments and specializations, as well as ways to give patients the necessary information for a diagnosis.
That means there are plenty of security risks for breach when transferring sensitive data and forms from one party to another.
A HIPAA-compliant cloud provider should have a way to encrypt information and data shared between healthcare providers, like doctors and nurses, and with patients.
The cloud provider's encryption features should comply with the standards provided by the NIST, which includes:
- Data encryption: Symmetric Cipher AES-256 encryption
- Transmission encryption for emails, messages, and other transmission services
A good cloud server shouldn't only encrypt and store data in the cloud.
A HIPAA-compliant cloud storage service should also grant an administrator certain controls so that different people in the organization have different levels of access to PHIs.
Effective HIPAA-compliant cloud storage services should have these basic security features:
- Data classification to inventory ePHI according to sensitive or nonsensitive material, or material the HIPAA classifies as confidential, internal, or public;
- Access controls, to limit people who can access certain classes of data and prevent third parties or other entities from accessing sensitive information.
Risk Management Policies
HIPAA compliance also requires the cloud provider to have a plan to prevent, detect, contain, and correct security violations.
Let's face it: accidents happen sometimes. And services should be one step ahead of these potential risks.
The HHS provides risk management guidelines for cloud services to follow. In a nutshell, these guidelines require cloud services to:
- Identify the risks and vulnerabilities;
- Assess current security measures;
- Determine the likelihood of threats occurring; and
- Determine the impact of these risks and threats on the organization.
Summary of Specs
Here's an easy to print the checklist for the basic security features you'll need from HIPAA-compliant cloud storage services:
- Since cloud storage services are “Business Associates” under the HIPAA, they should make Business Associate Agreements available for you to sign.
- Any PHI that you'll store in the cloud storage servers should be encrypted. This includes patient forms and other important, confidential data.
- If you're using the cloud-based service for features like emails, messages, or chats, HIPAA-compliant cloud storage should also have end-to-end encryption of messages sent between healthcare providers.
- HIPAA-compliant cloud storage should have an option to configure specific file-sharing permissions so you can exclude third parties who are outside the healthcare organization.
- Cloud providers should have a way to manage risk through policies that prevent security violations. If security violations happen, providers need to have a plan to correct violations.
Health information is a sensitive topic, especially for patients who'd rather keep some things confidential.
But with the help of the best HIPAA-compliant cloud storage services, you'll make life easier, more convenient, and safer for your patients, staff and stakeholders. Check these out today!