Are Google Drive and Amazon AWS HIPAA compliant?
More healthcare organizations are turning to cloud storage for its flexibility, services and functions. But, with Google and Amazon AWS being two of the largest cloud storage providers used in the healthcare sector, it’s important to ask: Are these platforms up to HIPAA standards?
As always when using a third party service, it’s imperative hospitals and other providers consider the proper way to use these tools to remain HIPAA compliant.
For starters, providers can’t just start using the free versions of these platforms for protected health information, said Matthew Fisher, a partner of law firm Mirick, O'Connell, DeMallie and Lougee. They must purchase the enterprise level of Google.
With this paid version, providers are also responsible for ensuring Google signs a business associate agreement to meet HIPAA standards, Fisher said. “And it’s up to the individual user -- depending on the service -- to make sure the HIPAA guidelines are put into place.”
“When a business purchases the Google Suite of apps, the provider can configure Google Drive to meet all of the organization’s security requirements,” said Erin Whaley, a partner of law firm Troutman Sanders. “AWS is similar: it has a business associate agreement to sign, but you have to implement it in a way that meets your security requirements.”
For Whaley, the area of concern is that many users are so accustomed to using these two platforms in their daily lives that they may not consider the necessary steps to protect the information within their healthcare organization.
“It’s up to the IT folks to make sure the tools are configured in that environment,” said Whaley.
Whaley said that Google offers some considerations as well as ways to limit sharing a document or link. These include two-factor authentication, turning off file syncing, restricting file sharing outside of the platform, avoiding placing the patient information in the title and regularly auditing access and account logs.
Amazon AWS offers similar guidelines.
“Providers should think about how the system can be implemented to minimize risk,” said Whaley.
And when providers are pursuing these subscription cloud services, Fisher said that healthcare organizations need to think about how the user is connecting to the platform. This includes securing the business associate agreement, whether it can be truly secure and verifying who can access the data.
Another concern is when users download the data from the cloud and place it onto unencrypted devices, said Fisher. “The data needs to be downloaded onto a secure environment, as well.”
“As you’re going through the implementation phases of cloud storage, you can’t just assume it’s configured in an appropriate manner,” he said. “You need to go through the process step-by-step -- starting with admin controls.”
“Then users need to figure out the scope of protection offered, and whether it aligns with your risk assessment analysis,” Fisher said.