Generally, we urge a healthy level of skepticism about cloud storage. This view is based on the pragmatic acknowledgement that it is nearly impossible to not have some data live in the cloud (good luck trying to use email sans cloud) combined with the equally sensible belief that cloud storage can be less than ideal for security purposes.
More importantly, some lawyers and law firms may need to comply with the Health Insurance Portability and Accountability Act (HIPAA), and Dropbox won’t cut it. We have mentioned HIPAA-compliant cloud services before, but in this post we will attempt to create a comprehensive list.
Who Needs To Comply With HIPAA
HIPAA’s privacy rule is written quite broadly to ensure that business associates with access to medical data — like attorneys, accountants, and financial services providers — also maintain heightened levels of privacy standards and security safeguards. Data storage and transmission services can fall under the law, and failure to appropriately protect data can result in fines as high as $1.5 million per year with the possibility of criminal charges.
That said, merely handling some medical data in the course of your practice does not require you to comply with HIPAA. Minnesota’s Bench and Bar reviewed the 2013 changes to the law, and discussed when law firms become business associates that are covered under the law. In looking for a HIPAA-compliant data storage provider, you should determine if they can sign a Business Associate Agreement (BAA). A BAA is a contract between an entity covered by HIPAA and a business associate that will be accessing personal health information. This agreement must put in place data protections that conform with HIPAA guidelines.
Amazon Web Services
For a long time, Amazon’s cloud storage (AWS) was definitively not HIPAA-compliant. However, with the recent changes to the HIPAA law, Amazon began signing business associate agreements with covered entities. AWS also offers a white paper on how to use AWS in HIPAA-compliant systems. In the event you are considering using AWS, you should set up a free account to see how their storage system works. You can keep free storage for one year, but it is unclear as to whether that type of storage would be HIPAA-compliant.
Box, which also provides non-HIPAA-compliant storage to the masses, states that it specifically supports HIPAA regulations and can sign HIPAA Business Associate Agreements (BAAs). The company says their HIPAA practices have been evaluated by an independent third-party auditor (there is no government HIPAA certification) that details information about how Box conforms with the HIPAA requirements. Box provides data encryption, restricted physical access to servers, restricted employee access to data files, training of their employees on security controls, and a formally defined breach notification policy. Box does not break out the HIPAA-compliant storage pricing, so you will likely need to contact them directly for a quote.
Carbonite states it is a HIPAA business associate and follows the security protocols of Massachusetts’ Data Security regulations. Per Carbonite, this is considered the strictest data protection regulation in the nation. Carbonite’s HIPAA-compliant storage prices begin at $269 per year and all plans allow for an unlimited number of computers. Prices increase based on the size of your storage needs. They have a 20% off deal running at the moment if you commit to a two-year contract.
CareCloud is a medical billing software company that also offers HIPAA-compliant cloud storage. CareCloud says its healthcare software exceeds government security standards for data transmission and storage, although it is unclear what standards they are referring to. They encrypt traffic during transmission, use a commercial-grade firewall, and store data at maximum security centers inside a private cage (no, really). They also back up customer data to their disaster recovery center in real-time. Pricing for the cloud storage appears tied to their general medical billing software and starts at a hefty $449 per provider per month.
ClearData, which specializes in healthcare data, offers a free 60-day no obligation trial so you can assess their HIPAA-compliant storage. They also promise 100% redundancy, 100% network uptime, 100% business continuity, and 99.999% server uptime. If you give them your email, they will send you a white paper on best practices in cloud computing for the healthcare industry. Their white paper may prove useful if you are deciding how to manage healthcare data in your practice.
Connectria has both server and desktop software that will assist you in encrypting and syncing your data to their HIPAA cloud storage. They will enter into a BAA and will provide desktop backup, server backup, or enterprise backup as needed. Connectria will also help migrate existing Amazon S3 customers to Connectria’s HIPAA-compliant service. You pay based on how much data you need to store, but you will need to contact them to find out what that cost will be.
CrashPlan, one of the most well-known backup services, provides what is probably the most cautious explanation about being HIPAA compliant. They will sign a BAA, but only for CrashPlan PROe (enterprise) plans and only if you are using an on-premises master server instead of a fully-hosted public cloud deployment. You can get a free trial of the enterprise software. Pricing starts at $60 per user per year and scales downward if you commit to a two- or three-year term.
Egnyte is an enterprise file services provider that integrates file serving, cloud storage, and file sync and share. That model, according to Egnyte, allows easy HIPAA-compliant file sharing besides just providing compliant storage. Egnyte is a Business Associate to covered entities and will sign a BAA detailing their safeguards. They will also provide internal practices, books, and policies to help you determine your HIPAA-compliance. It is unclear whether Egnyte’s “Business” plan, which costs $15 per employee per month, provides HIPAA-level compliance or if users need to buy an enterprise solution from Egnyte.
firehost, a general-service secure cloud provider, also offers specialized HIPAA-compliant storage. However, firehost is clearly geared toward healthcare entities that need the full range of data management; their centerpiece offering is a bundled service that covers hardware, software, security, and managed services. Functionally, they create a virtual server for that data. You will need to provide them some minimal data — name, email, phone, and company — in order to get started with configuring a server for that level of firepower.
FolderGrid offers HIPAA-complaint file sharing for project teams and also offers FTP access. Their HIPAA statement explains that they encrypt all data in transmission and storage. Additionally, administrators maintain full access control. They also redundantly store data on multiple devices in multiple facilities. Pricing begins at $10 a month and scales up from there based on the storage size you need.
Google was not always HIPAA-friendly, but as of about a year ago, you can now request a BAA that covers Gmail, Google Calendar, Google Drive, and Google Vault. This does not apply to those using the free Google Apps suite. You will need to be an administrator for Google Apps for Business, Education, Government, or Unlimited, which are all paid services. If your HIPAA-compliant data needs are minimal, Google may provide a low-cost solution if you are already invested in the Google Apps ecosystem.
Green House Data
Green House Data differentiates itself from other data centers by being, well, green. They are 100% wind-powered and are an EPA Green Power Partner. They also offer a webinar on when companies need to sign a BAA and what questions you should ask of your HIPAA data storage provider. Green House looks more geared towards providing you with a complete IT infrastructure solution, and for that you will need to contact them for a pricing quote.
Iron Mountain, long known for those enormous trucks that come to your office and take the giant shredding bins away, offers a number of white papers about HIPAA-compliant storage, but it does not appear that you can learn anything more about their data storage options without contacting them directly.
MyVault has a lengthy explanation of HIPAA requirements and states they are HIPAA compliant. However, they also explicitly state that because they are an automated digital online data storage solution provider, they are not considered to be a business associate under the law. This is concerning given that other providers specifically agree to sign a BAA. There is an online demo you can try to get a feel for the features of MyVault and the pricing starts as low as $2/month, but whether or nor they would be considered truly HIPAA-compliant is not clear.
Microsoft Office 365 for Health Organizations
As with Google Apps, if you are already heavily embedded in the Microsoft ecosystem, going with Microsoft Office 365 as a HIPAA-compliant data storage solution may be wise. Microsoft has a lengthy white paper you can read about how their cloud services conform to regulator requirements. Microsoft will sign a BAA and connect your data to the full Microsoft cloud, including SharePoint.
Online Tech states that it recently completed an independent audit that found it to be 100% HIPAA-compliant. They provide a number of HIPAA webinars and can provide HIPAA-compliant cloud storage, managed servers, and full colocation. You’ll need to contact them directly for a quote.
onramp provides a comprehensive-looking three-step risk management assessment process for giving you HIPAA-compliant storage. They determine what you need and create a custom Business Associate Agreement, a risk management plan, a backup plan, and a disaster recovery plan. You will need to email them for a quote to receive this level of attention.
SpiderOak says they are a Business Associate and are HIPAA-compliant. SpiderOak prides itself on its “Zero Knowledge Privacy” stance. Their servers are not capable of viewing any of your data in plain text. You can get two gigabytes of storage from SpiderOak for free, while business pricing starts at $100 per year.
Symform is another general service secure cloud storage provider. They offer HIPAA-compliant storage with clear access control policies and restrictions, data backup and disaster recovery, and encryption during data transmission. Symform will give you 10GB of data storage free and, in a very Dropbox-esque way, allow you to earn more free cloud storage by contributing your own local drive storage. Symform boasts it is the only storage solution that gives you HIPAA-compliant storage for free, which very well may be true.
TrueVault is designed for the developer side and has an API to facilitate secure healthcare software development. They also offer plain old HIPAA-compliant storage that is searchable and allows for file sharing. They will sign a BAA and have a data breach insurance policy. You can test the service for free. Pricing is based on how often you call to their API, rather than the size of the data stored, so you want to be familiar with how that works before taking the plunge.