Sep 05, 2015

How to find cloud providers that are HIPAA compliant?

Are there cloud providers that meet the requirements for HIPAA compliance?
The onus of HIPAA compliance isn't up to the cloud provider, it's up to you and your organization's use of the cloud service. Compliance has to do with things like: data encryption, security of the access to the data, destruction of records, and so forth. Claims of HIPAA compliance may be only towards encryption of data in place, encryption of data in transit, and their offering of access security that enables you to do the job of compiling with the Act. It's up to you to ensure that you're in compliance, which means a quick education as to what's required for your use of (patient) data. May I suggest obtaining best practice information and extrapolating what you find to what you're doing, and educating those involved on what's required for your application prior to proceeding, as then and only then will vendor claims make sense to your situation.
Found a good list covering some of the cloud solution vendors in regards to HIPAA compliance:

"Companies that Claim to Offer HIPAA Compliant Services
•Amazon – Amazon S3 is not HIPAA compliant out of the box, but Amazon AWS can be used to create HIPAA-compliant cloud storage. Amazon gives you dedicated servers and a BAA, but you have to configure it yourself. This white paper is available for directions on how to create HIPAA-compliant information processing systems in the Cloud. The paper focuses on the HIPAA sections: The Privacy Rule and The Security Rule, and how to encrypt and otherwise protect your data.
•BlackBlaze – This service allows you to store and protect then restore a single file, a folder or all your backed up files from a web browser for free. There is an option to have a 128 GB flash drive FedEx to you or an external drive up to 3 TB for an additional fee. You can also access your files with the iPhone app. Here is their security page. Mac users will be happy to note that this software is accessible from Mac or IOs systems.
•Box – This service claims to meet the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling. They signs BAA addendums for customers who have an Enterprise or Elite account. As with some of the other services in this group, customers are responsible for configuring Box in a HIPAA compliant manner and for enforcing policies in their organizations to meet HIPAA compliance. Details of HIPAA and HITECH compliance are here.
•Carbonite ProPlan – This service is available for businesses that need protection for unlimited computers and HIPAA Compliance.
•CareCloud – Uses security data centers in multiple locations and protected by armed security personnel. Having your data securely stored in multiple places eliminates the risk of catastrophic data loss due to natural disaster, theft or sabotage. See their security information here.
•Crashplan – CrashPlan PRO boasts an easy-to-use desktop and uses 448-bit Blowfish encryption, one of the most robust encryption methods available. Files are encrypted before they leave your computer and then transferred to their servers using 128-bit Advanced Encryption Standard (AES) protocol.
•Egnyte – Egnyte’s “enterprise” product is for businesses seeking HIPAA compliance. They are willing to sign a BAA.
•Google Drive – As of September 2013, Google Apps for Business allows a domain administrator to sign a BAA that covers Gmail, Google Drive, Google Calendar, and Google Vault. Being HIPAA-compliant isn’t as easy as opening any one of these accounts on any one of these services, but if your domain administrator can disable all other Google Services from the domain and make sure you keep appropriate password policies, etc, then Google Drive can be rendered HIPAA compliant for cloud storage.
•Symform – Focusing especially on backup and disaster recovery, Symform is another enterprise cloud storage service that is willing to sign a BAA and claims to be HIPAA compliant. They provide several links to several whitepapers on their site."
Answer this