HIPAA-Compliant Cloud Storage

img banner resources HIPAA cloud storage

Cloud storage solutions for advanced healthcare needs

Healthcare profitability requires managing large amounts of data to make accurate decisions while remaining compliant. How can organizations address issues around patient data portability, communication, privacy, and compliance? Healthcare is under pressure due to an aging population and the cost of care continues to outpace inflation. Providers struggle to communicate and coordinate patient care, and there are issues with accessibility, interoperability, and privacy permissions when collecting and storing patient data.

In addition to the aforementioned drivers for change exerting pressure on healthcare, big data is a significant factor in healthcare’s growth and change. The use of machine learning and artificial intelligence is driving the aggregation of data from multiple sources, and the use of telemetry systems is pushing the limits of storage capabilities. Decisions about whether to use cloud storage are complicated by concerns about security, compliance, responsiveness, and cost savings.

Healthcare CFOs in hospitals, imaging centers, surgical centers, and more are under unrelenting demands to reduce costs as profit margins continue to narrow. Medical directors must ensure better patient care, personalized to each patient and with individual information immediately accessible per HIPAA guidelines. The IT Manager must keep all of this electronic protected health information (ePHI) secure. Operations managers face competitors who use sleek marketing campaigns to boast of increased inpatient flow and operability targets. How can a single facility not just face these challenges, but also overcome them?

Background of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, aims to improve the portability and accountability of health insurance coverage while establishing privacy and security guidelines. The HIPAA Privacy Rule, published in 2002, ensures that individuals’ health information is properly protected while allowing the flow of health information needed for high-quality care. Health plans, providers, and even contractors must meet these privacy requirements. The need for HIPAA compliance encouraged digitization of healthcare records, as outlined in the HITECH Act of 2009, which led to the Meaningful Use incentive program.

Healthcare providers who receive Medicare and Medicaid incentive payments must meet specific meaningful use requirements, including:

Central to these criteria was the introduction of electronic health records (EHR). While today’s digital records mostly replace bulky files in physical storage, they do still have storage demands that can tax infrastructures and budgets. Patient data can encompass decades, contain information from multiple providers, and hold hundreds of imaging sequences from a single appointment.

The growth of medical record data is astronomical. In fact, some estimates put a 40% growth on data storage needs annually. Dealing with this level of electronic data is an enormous challenge, but when one considers the privacy conditions to be compliant with HIPAA, the complexity of maintaining responsive yet secure storage intensifies.

The need for storage and associated costs

Rising IT infrastructure costs are one more hurdle to managing data demands and privacy requirements. Hardware, software, and networks need regular updating and upgrading. Computers, mobile devices, medical devices, telemetry tools and other connected devices do more than produce data — they consume large amounts of bandwidth. Remote management programs and licensing fees for ubiquitous tools such as Microsoft Office and Adobe, not to mention vendor-specific applications, add to the bottom line. How does one decide how to best distribute limited funds in an environment with so many competing priorities?

Healthcare IT administrators not only have to worry about infrastructure costs, but also the potential cost of data loss. Natural disasters such as earthquakes, hurricanes, tornadoes, and fires can destroy servers holding digital health records. Unfortunately, the frequency and intensity of these kinds of disasters are increasing, according to climate data. Catastrophic floods from intense precipitation, river flooding, and coastal storm surge pose a significant risk to on-site servers that may not be designed to withstand such events.

Security breaches also pose a significant risk to electronic health records, and the healthcare industry faces the highest cost for data breaches compared to any other industry. Roughly half of data breaches occur due to human error or system glitches, while the other half stem from malicious intent or criminal activity. Recovering from all types of data breaches, including hacking and ransomware attacks, can be expensive. Healthcare organizations risk losing customer trust, with patients leaving the business for another one following a breach, leading to a churn rate of 6.7%, nearly twice the average of all other industries. In the “value-based” healthcare model, providers must demonstrate positive outcomes over time, and if patients lose confidence in data security, there will be no viable way to measure progress.

Key Points

What is cloud storage?

It seems like everyone is “in the cloud” or “migrating to the cloud” these days, or getting ready to deploy some sort of cloud-based service. But what does “cloud” actually mean? Simply put, cloud computing refers to using on-demand computing services, such as applications, power, and storage, that are stored on servers rather than on your own computer. This means that the information is accessed over the internet when needed, and you might only pay for what you use at that time. When we talk about “cloud storage,” we’re specifically talking about storage that’s located off site.

If you were to walk into a cloud storage facility, you’d see a large room filled with racks of servers and wires running overhead. Some areas might be separated for specific tenants who have purchased a certain amount of servers for their exclusive use. So that’s the physical, non-fluffy look at the cloud.

One purpose of that server farm is to provide Infrastructure-as-a-Service (IaaS). This is where servers and storage, networking, and data centers are managed by the vendor while the client remains in control of applications and operating systems.

Cloud storage is incredibly flexible, but it requires knowledge and skill to truly unlock its potential for maximum benefit. Mismanagement can lead to data loss, causing problems such as wasted money, hampered productivity, and even fines.

However, the opposite is also true. Properly managed healthcare cloud storage can lead to data retention, greater productivity, and cost savings. With secure patient records available at all times, healthcare providers can easily share information with other professionals. Large files can be stored without taking up too much space. Analytics programs can be applied to the data, providing valuable insights into patient throughput and even predicting readmission likelihood. Advancements in artificial intelligence can be utilized to work with flexible storage space, allowing for machine learning programs to decipher previously unusable records. As organizations move toward precision medicine, this will be even more crucial.

Telemedicine, still in its infancy, is anticipated to grow annually by almost 20% over the next five years. All of those appointments will be digitally recorded and will need to be stored. Cloud storage will be necessary for future adaptation to healthcare developments.
But how can healthcare cloud storage make an immediate difference in a company’s operation? Washington Heights Imaging, a New York imaging provider, upgraded from a slow, outdated picture archiving and communication system (PACS) to cloud storage. This resulted in faster turnaround times, improved user experience, and auto-populated EHRs. DICOM files could be easily shared and read on existing radiology applications. The move cut IT costs by over 50%, and data redundancy ensured records were secure. Overall, client satisfaction and EHR interoperability increased, leading to more patient referrals.

Key Points

Cloud storage is off-site storage. When information is needed, it is sent via the internet to the user.

Cloud storage has significant benefits:

Well-managed healthcare cloud storage leads to data retention, greater productivity, and financial savings.

What are the main features of cloud storage?

Cloud storage offers many possibilities and is able to be customized to a company’s needs. There are, however, a few core features that all uses have in common:

Healthcare cloud storage options

There are a variety of cloud storage options that can be designed to meet the needs of healthcare organizations of any size and budget.


This is the most primitive version of the "cloud." It uses a company's own servers or other hardware on location to store data and provide cloud-based software. In that, it is not IaaS but rather part of a strategy for deploying SaaS. It is not generally scalable nor does it offer other qualities that one associates with cloud storage. Do not confuse on-premises storage with private cloud storage, which is discussed below.

Hybrid Cloud

Hybrid cloud combines different cloud components, and can refer to a mix of private and public clouds or the use of multiple public cloud providers. In a private cloud, an organization manages all system elements, whereas a public cloud provider manages and maintains the infrastructure. A company may choose to keep some information on its own data center while migrating other data to a public cloud vendor. Hybrid cloud can also be used as a double-failsafe for critical data or as part of the merger-acquisition process.

Private Cloud

A private pure cloud is an arrangement in which an organization hires a cloud hosting company to exclusively manage all of their data. Rather than sharing a bank of servers with other clients, the organization rents or purchases tenancy in a data center with a guarantee that there will be no other clients using the dedicated servers, even if they are currently unused. In this setup, the organization purchases the entire capacity of the system up front and pays for it even when not in use. The benefits include having the hosting company manage and maintain the system, as well as physical and cybersecurity provided by the larger data center protecting the organization's private servers.

Public Cloud

Public pure cloud is a cloud storage model where a provider manages facilities that are shared among multiple clients. Clients can easily scale up or down their storage, computational power, and applications based on their needs, without paying for more than what is being used. This model offers agility, economies of scale, and lower upfront investment compared to private cloud models. It also provides reliability by distributing resources across multiple data centers, ensuring continuous access to information even if one location experiences issues. For healthcare organizations, reliability is crucial to ensure patient access and HIPAA compliance.

Healthcare compliance requirements and cloud storage security

Entities handling health data fall into different categories: healthcare provider, healthcare plan, and healthcare clearinghouse are all covered providers. A cloud storage provider is a business associate and must meet HIPAA privacy and security requirements. Both parties must sign a business associate agreement (BAA) agreeing to the terms of data exchange and possession. Cloud storage providers must also adhere to compliance guidelines for individual hospital practices and private insurers.

icon req physical security

Physical Security

While securing ePHI in a cloud setting is different from that in a clinical environment, cloud storage providers still provide a high level of security for all client data. Facilities are structurally sound and equipped with automatic power backups to protect against weather events. Guards staff entrance points, and identification is required for access. Servers are locked with keycard IDs and limited permissions, and private pure cloud areas are isolated with fencing and additional locks. Manned security cameras record the entire setting, making healthcare cloud storage likely more physically secure than on-premises storage.

icon req cybersecurity


Healthcare providers should encrypt data before it leaves their offices and while it is in transit, which is one of the most vulnerable stages in any data exchange. Healthcare data should also be encrypted while at rest, as it is sensitive, regulated, and protected information. Regardless of the encryption type, the healthcare organization should possess the private key without any backdoors for the cloud storage provider. A comprehensive security plan should include intrusion detection and prevention systems (IDPS) with signature-based and anomaly-based intrusion detection capabilities and automated response features, technical personnel on staff, and cloud access security broker (CASB) compatibility.

icon req insurer compliance

Insurer Compliance

Health insurance companies, as covered entities, need to ensure HIPAA compliance of any data they handle. Verifying patient data security is crucial for them to avoid legal action for insufficient ePHI protection since most healthcare providers accept private insurance. Insurance companies must meet both compliance and security obligations, including eligibility for cyber liability insurance, to avoid civil and federal penalties. Note that each insurance company may have unique compliance and security requirements that must be examined individually.

icon req HIPAA compliant cloud storage

HIPAA-Compliant Cloud Storage

HIPAA has two sets of rules: the Physical Rule, which pertains to all protected health information, and the Security Rule, which pertains only to electronic protected health information. The federal government declared that a cloud service provider is "directly liable for failing to safeguard ePHI in accordance with the HIPAA Security Rule and for impermissible uses or disclosures of the PHI." In a nutshell, the Security Rule requires that business associates (BAs):

  1. Ensure confidentiality, integrity, and accessibility of ePHI
  2. Protect against reasonably anticipated threats or hazards to ePHI
  3. Protect against reasonably anticipated losses or disclosures of ePHI
  4. Ensure compliance by its workforce

As part of the Security Rule, HIPAA requires BAs to establish and maintain administrative, physical, and technical safeguards. These safeguards dictate the creation of access processes and trainings of a workforce to be compliant, toward creating a physical environment of security, and the creation of access authentication, and transmission security and controls. The HIPAA Security Rule has over 70 combined standards and implementation specifications, so describing each of them in depth is beyond the scope of this document. However, interested readers can delve deeper by reading some of the many government publications that address this issue.

icon req fedRAMP


The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services, with the goal of providing a uniform set of risk assessments for every federal agency that uses cloud storage. By having a set of standards for security controls, government agencies can use an authorized list of FedRAMP providers instead of having to evaluate each cloud storage provider's security protocols individually. FedRAMP compliance is a rigorous process that demands collaboration with a federal agency, annual certifications, review by a third-party authorization organization, and extensive documentation of facilities, processes, and procedures, including proof of contingency plans. HIPAA and FedRAMP compliance demonstrates a provider's commitment to high standards of service and operational excellence.

Key Points

bg res HIPAA 07 requirements

What to look for in a HIPAA-compliant cloud storage provider

HIPAA-compliant cloud storage business relationships begin with a business associate agreement (BAA), but also should have a service level agreement (SLA) that outlines specific responsibilities. According to hhs.gov, SLAs can include provisions that address such HIPAA concerns as:

Before reaching the SLA level, organizations considering cloud storage should ask questions and compare different providers. Those questions could include the following:
  1. How old is the data center hardware and the software used to manage it?
  2. How much downtime, if any, is anticipated during the transition period?
  3. What preventive measures have the provider taken to avoid separation failure (when data from different tenants is inadvertently stored together)?
  4. How does the cloud service provider prove data deletion?
  5. Are the cloud storage facilities staffed 24/7 with technical and security personnel?
  6. Will they share their audits, especially regarding security and financials? Sharing financials can prove stability and display both transparency and sustainability. Performing regular audits is part of being HIPAA-compliant.
  7. Have they ever had a security breach? How was it handled, and what have they done to prevent future breaches?
  8. What kind of background checks are performed on employees? Do employees receive continuing education on best practices in cloud storage and compliance issues? As a potential HIPAA business associate, employee training is a mandated element of compliance.
  9. What is their HIPAA disaster recovery plan? If they don’t have one, consider finding a cloud storage provider with more experience in healthcare data storage.
  10. There are certifications for almost everything under the sun. What certifications does the cloud storage provider have, and what do they mean? Perform due diligence here.
Due diligence in all of these areas is critical. Ensuring the security and accessibility of patient data is crucial. While using these questions as a starting point is helpful, seeking the guidance of an independent auditing company can provide valuable insights that may not be immediately apparent. For a successful cloud storage migration, it is important to assess current and future needs and ensure HIPAA compliance. For a large-scale migration, experienced project managers are necessary. As the transition will impact everyone handling ePHI, strong leadership and a change team capable of mobilizing internal PR, marketing, and education initiatives are essential.

How do you know it's time to consider HIPAA-compliant cloud storage?