By Morris W. Stemp, CPA, MBA, CPHIMS, February 03, 2014
I am sure that by now all physicians have heard of “the cloud” and how all applications are moving to the cloud. Maybe you’ve heard your colleagues talking about the cloud, or your EHR vendor has mentioned that their system is moving to the cloud. But it’s likely that your understanding of the cloud is...still cloudy. In our blog post, “The Cloud Crashed Again: Understanding the Cloud’,” we describe many of the services that are provided in the cloud. This article focuses on one specific use of a public cloud: Using the cloud for data storage.
Cloud storage defined
Cloud storage refers to storing data remotely in an off-site data center maintained by a third party which is accessed via the Internet. In one usage scenario, the cloud storage may serve as the primary repository of data or possibly as a supplement to local data storage for some types of files. For example, a dermatologist may store all his diagnostic images or reports directly into the HIPAA-compliant box.com service. In a second scenario, cloud storage may be a backup location for data maintained inside a practice office. For example, a practice might implement an automated backup routine to copy its EHR data files from a local server to a cloud backup service. [pagebreak]
Advantages of cloud storage
- Scalability and flexibility
With most cloud providers, storage space is scalable, which means that you use as much space as you need and you only pay for what you use.
- Lower cost
As the number of cloud storage service providers increases, the price for online storage falls. Many companies even offer a limited amount of storage space for free. Another way that using cloud storage reduces costs is that a practice may be able to reduce its IT staffing and support required to maintain and back up a local storage infrastructure.
- Sharing and collaboration
Another benefit is the ability to share the cloud-hosted data with authorized individuals. For example, a dermatologist may store an image in the cloud (possibly using a free storage account) to enable another physician to view the image and provide a second opinion. Related to sharing data is the idea of collaboration. Using Google Drive, for example, two doctors working from separate locations can simultaneously edit the same document or spreadsheet.
- Access from anywhere
Data may be accessed from any location that has Internet access and from any device, including an iPad or smartphone.
- Enables backup
The cloud can also be used as a destination for backup copies of data stored on the workstations and servers inside a medical practice. On a limited scale, users can simply make a copy of specific data files to a cloud storage location. For more comprehensive backups, practices can use Carbonite and Mozy, two heavily marketed backup services, to back up to a cloud-based data center as the foundation of a basic disaster recovery plan. [pagebreak]
Do you need to backup data stored in the cloud?
Many cloud providers replicate all data to multiple data centers. This protects against any type of failure at a single data center including loss of data, loss of communications access, power failure, etc. Given this redundancy, a backup to protect against data loss is not required.
For files which, once created, never change, such as an image or a report printed at a moment in time, a static backup may be an appropriate level of data protection. For documents or databases (such as EHR data files or QuickBooks files), a user may wish to recover a previous version either to view past edits or to recover a database from a point in time before the database may have become corrupt. This feature, offered by some cloud storage providers such as box.com, is called version control or version history.
If your cloud provider does not provide these backup services, you should develop a backup plan of your own.
HIPAA requires that a practice complies with the privacy and security rules related to the protection of electronic protected health information (ePHI). If a practice stores ePHI data in the cloud, that cloud storage vendor is considered a business associate (BA) of the practice. All business associates are required to abide by the same administrative, physical, and technical safeguards that HIPAA requires of the practice. A BA certifies its compliance by signing a Business Associate Agreement or BAA. Even given a BAA, it is recommended that a medical practice seek specific documentation that the vendor has performed a risk assessment, and has implemented HIPAA policies, procedures, and safeguards. [pagebreak]
Some cloud providers have implemented controls to make their storage cloud HIPAA compliant and will sign a BAA. Other cloud providers will not sign a BAA; health care providers should not store ePHI with these vendors.
Using a HIPAA-compliant cloud storage vendor alone does make a medical practice HIPAA compliant. A practice is responsible for configuring the service in a HIPAA-compliant manner and enforcing policies within its organization to achieve HIPAA compliance. For example, access to specific cloud storage folders must be password protected with strong passwords changed on a regular interval and the user access audit trail should be reviewed on a regular basis.
HIPAA-compliant cloud storage vendors
The following are a few cloud storage vendors that have achieved HIPAA compliance.
Box offers multiple service plans, from personal to enterprise, but will only sign a BAA with its customers who have an Enterprise or Elite account. Box.com achieved HIPAA compliance in November 2012.
Dropbox, a popular cloud storage service, is not HIPAA compliant. However, paired with Sookasa, which provides an encrypted folder inside Dropbox, the Dropbox service can be used in a HIPAA-compliant manner. The Sookasa folder can be used to securely share and collaborate on files with others. Keys are provided to access files, and this access can be de-authorized by blocking users. Sookasa is currently free for private use and charges a fee for advanced features and for business. [pagebreak]
In September of 2013, Google offered to sign BAAs as a means to HIPAA compliance. This enables health care practices to deploy Google Apps with some strict limitations. The BAA terms restrict the use of Google’s social properties, including Plus, Groups, and Sites, from the Google account associated with PHI. These services must be disabled in the Google account used for PHI.
Microsoft Office 365
Office 365 was the first major business productivity public cloud service provider to sign HIPAA BAAs. The BAA covers most of Microsoft’s cloud services, including cloud-hosted Office Suite (Word, Excel, PowerPoint, etc.), Exchange for email and calendaring, online versions of SharePoint for content management and collaboration, and Lync for unified communications. Skydrive Pro is the HIPAA-compliant cloud storage service offered in conjunction with Office 365.
HIPAA-compliant cloud storage offers a medical practice another option to store and backup all of the data used by the practice. Whether or not your practice uses a cloud-based EHR system, your practice can benefit from the scalability and mobility offered by cloud-hosted storage.
- Cloud storage can minimize a practice’s on-site record storage needs.
- Cloud storage is scalable, so a practice pays for only what it uses.
- Data stored in the cloud can be accessed from any device and any location that has an Internet connection.
- Choosing a HIPAA-compliant data backup solution is critical. Different kinds of data may require different backup arrangements.
- Several well-known companies now offer HIPAA-compliant cloud storage solutions.