5 Myths about HIPAA Compliance in the Cloud

Increases in the use of electronic health records and cloud-based data storage have made HIPAA compliance even more confusing. Health care providers often are uncertain about whether they’re able to leverage cloud resources under this legislation. Adding to the problem are a number of prevalent myths that make it difficult to separate fact from fiction when it comes to health data handling and storage.

Myth 1: Encryption Is All You Need
Encryption is a good start—and should be part of both data transit and storage—but it’s not enough. To make sure you’re following HIPAA accountability guidelines, make sure you also have a way to remotely lock or wipe devices and track data at any point.

Myth 2: Cloud Vendors Are The Biggest Problem
In most cases, user error is the issue: Employees accidentally download data they shouldn’t or lose devices containing critical information. Staying safe means regular HIPAA training for staff and a cloud provider that offers device-level user permissions based on role and need.

Myth 3: All Data Service Providers Are Created Equal
As noted above, there’s no single HIPAA standard for cloud providers, but some are far better than others at keeping health data safe. Best bets? Look at track records rather than marketing materials, and don’t let cost drive your decision—you get what you pay for when it comes to protecting health data.

Myth 4: Business Associate Agreements Aren’t for Everyone
False! If you’re storing HIPAA data in the cloud, your service provider needs to sign a business associate agreement (BAA). If they’re unwilling or reluctant—they’ll sign but say it’s not really needed or it will make things “more complicated”—take a pass. You’re on the hook as a covered entity, and BAAs are an essential part of proving due diligence.

Myth 5: Once Is Enough For Risk Assessment
To ensure you are using HIPAA-compliant practices, it’s a good idea to conduct a third-party assessment. But this isn’t a fire-and-forget scenario, especially when you’re dealing with cloud providers. Make sure to reassess your risk every year, and include your certified systems professional. An up-to-date risk assessment is well worth the cost if you are randomly selected for a HIPAA-compliance audit by the U.S. Department of Health & Human Services’ Office for Civil Rights.

The bottom line is that if you operate in the health industry as a covered entity or business associate, HIPAA compliance must be a top priority. Cloud services provide a viable way to store and access HIPAA-protected data, as long as you understand the legislation’s basic guidelines.