Utilizing cloud storage has become increasingly popular, effective and efficient. Cloud storage offers ultimate convenience because data can be accessed anywhere, anytime, from any device; and it is offered at very competitive prices, with Google Drive and Dropbox being among the most popular choices.

However, for those who are also concerned and required to familiarize themselves with Health Insurance Portability and Accountability Act (HIPAA) of 1996 compliance, the process of choosing storage can seem overwhelming. Many healthcare providers are faced with the question of which cloud storage solution is most appropriate for them, and are any options, including Google, HIPAA compliant?

The US Department of Health and Human Services (HHS) has developed very strict rules for document and data security to protect the privacy of healthcare information.

HHS states that: “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

Any individual or organization that collects, stores, holds, processes, or has access to a person’s health care information is fully responsible for protecting the information, even if they’re not considered a “covered entity” under HIPAA and must be compliant. If HIPAA regulations are violated, severe financial penalties, and even criminal charges or incarceration, may result.

To be HIPAA compliant, a cloud storage solution should have:

  • Proper user ID and password administration: This helps to ensure all users have uniquely-identified passwords that are secure and periodically changed.
  • Role-based account access: Only those individuals with proper authorization can access sensitive information. We allow you to set particular levels of access for each user.
  • Group-based access management: Allows you to define groups/users and grant differing levels of authorization for each.
  • Data redaction capabilities: Provides the ability to redact words, phrases, or sentences from documents, which allows users with a lower level of clearance to search a document while preventing them to view more sensitive information within the document.
  • Emergency access procedures: Ensures information can be accessed in an emergency.
  • Automatic logoff: Helps to ensure sensitive data is protected, in case an employee forgets to log off a computer.
  • Data encryption and decryption: Ensures information cannot be viewed without the proper encryption keys. eFileCabinet uses 256-bit encryption; that’s better than some banks.

Google Drive is a widely used provider for cloud storage. Google has security certifications such as ISO 27001 and SOC 2 and SOC 3 Type II Audits, and it offers Google Apps. Under HIPAA, particular information about a patient’s health and/or healthcare service is confidential and is Protected Health Information (PHI). Google users who must follow HIPAA requirements and want to use Google Apps with PHI are required to sign a Business Associate Agreement (BAA) with Google.

Administrators of Google Apps for Work, Education, Government, and Google Apps Unlimited may request a BAA prior to using Google services with PHI. Google offers a BAA covering the paid versions of Gmail, Google Calendar, Google Drive, Google Sites, and Google App Vault Services. Customers who have not entered into a BAA with Google are not allowed to use services in connection with PHI. Google makes it very clear that if a customer does not have a BAA and is storing PHI, Google products should not be used. The BAA is not available with Google’s free services.

Simply using Google Drive, or any other cloud storage, does not ensure HIPAA compliance; it is impossible for any software to make this guarantee. However, it is possible and highly recommended to utilize document management software (DMS) that can ensure data backup and disaster recovery. The proper DMS can help avoid potential issues with security for personal health information and can also help an entity maintain HIPAA compliance.

eFileCabinet is the premier document management solution that can assist you to not only become a paperless office, but it can also ensure your business is HIPAA compliant. There are eight main areas in which eFileCabinet can assist with HIPAA compliance:

  • Data Backup: HIPAA Administrative Safeguards require organizations to have data backup in place to protect personal health information in the event of system failure. If your data is on-site, eFileCabinet provides off-site, encrypted, automatic backup according to your specifications. You also have the option to backup your entire DMS in the cloud.
  • Emergency Operation and Disaster Recovery: HIPAA requires covered entities have a plan for secure and safeguarded personal healthcare information in the event of an emergency. Because our platform backs up data to three different, off-site locations across the United States, it is significantly easier for our users to plan for and recover from emergency situations.
  • Physical Safeguards: HIPAA Physical Safeguards require a company to act as a “bodyguard” of sorts to protect patient information and anything or anyone that attempts to threaten information. We provide automatic, Cloud-based, offsite backups. Because we have multiple backup sites, it is nearly impossible to have any interrupted power or environmental emergencies that would affect all 3 locations.
  • Access to Information: HIPAA defines Technical Safeguards as: ”the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” This is interpreted as the steps you take in order to protect your patients and their sensitive information as it is being transferred to and from your system.
  • Audit Trails: Our audit trails record all information pertaining to sensitive data, including activity that changes or captures information. Audit reports will be extremely important to your company, in the event of an audit.
  • Data Integrity: HIPAA requires policies and procedures are in place to protect from improper alteration or destruction as a result of intentional or unintentional actions on the part of anyone viewing personal information. We have electronic mechanisms that check such things as sum verification, digital signatures, and other electronic verification tools that check for data integrity.
  • Identity Authentication: HIPAA requires that whenever someone is attempting to access personal information, they are who they say they are. We require in-depth authentication mechanisms, while allowing easy third-party integration.
  • Security During Data Transmission: HIPAA requires security measures be taken to prevent unauthorized interception or access to sensitive information, while in transit. We offer encryption and decryption to and from the network through sophisticated 256-bit algorithms.

Let eFileCabinet help you to be HIPAA compliant, so you can ensure that the risk to your company is significantly decreased and the assurance of safety and compliance is increased. Please fill out the form on this page or give us a call to learn more.