Utilizing Cloud storage has become increasingly popular, effective, and efficient. Cloud storage offers ultimate convenience because data can be accessed anywhere, anytime, from virtually any computer device; and it is offered at very competitive prices. However, deciding which Cloud solution most closely fits your needs and wants can be very confusing. For those who are also concerned and required to familiarize themselves with Health Insurance Portability and Accountability Act (HIPAA) of 1996 compliance, the process of choosing storage can seem overwhelming. Many healthcare providers are faced with the question of which Cloud storage solution is most appropriate for them, and are any options HIPAA compliant?
The US Department of Health and Human Services (HHS) has developed very strict rules for document and data security to protect the privacy of healthcare information.
HHS states that: “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Any individual or organization that collects, stores, holds, processes, or has access to a person’s health care information is fully responsible for protecting the information, even if they’re not considered a “covered entity” under HIPAA. If HIPAA regulations are violated, severe financial penalties, and even criminal charges or incarceration, may result.
Google Drive is a widely used provider for Cloud storage. Google has security certifications such as ISO 27001 and SOC 2 and SOC 3 Type II Audits, and it offers Google Apps. Under HIPAA, particular information about a patient’s health and/or healthcare service is confidential and is Protected Health Information (PHI). Google users who must follow HIPAA requirements and want to use Google Apps with PHI are required to sign a Business Associate Agreement (BAA) with Google.
Administrators for Google Apps for Work, Education, Government, and Google Apps Unlimited may request a BAA prior to using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, Google Sites, and Google App Vault Services. Customers who have not entered into a BAA with Google are not allowed to use services in connection with PHI. Google makes it very clear that if a customer does not have a BAA and is storing PHI, Google products should not be used. Further, the BAA is not available with Google’s free services, such as Gmail, Google Calendar, Google Drive, etc.