
Practical steps to achieve HIPAA compliance in the cloud
Follow these steps to make sure you find the right partner for your practice
Health care businesses and practitioners in the U.S. must comply with the Health Insurance Portability and Accountability Act (
All staff members who handle ePHI must be trained on their HIPAA compliance responsibilities. The CE must implement policies governing the use, disclosure, and patient rights regarding ePHI.
In many cases, a CE engages a business associate (BA) to assist in processing and storing its ePHI. This article focuses on selecting the right cloud partner to serve as your BA and work with you to meet HIPAA compliance requirements. This guide examines the benefits of managed services for supporting compliance and simplifying your compliance activities.
How to choose a HIPAA-ready cloud partner
The first step in using the cloud for HIPAA compliance is finding the right partner. You want to work with a cloud provider that helps you operate securely and defensibly. You and your cloud BA must be able to demonstrate, not just claim, HIPAA compliance. The cloud provider you choose to partner with should meet the following criteria.
- Verify: CEs must verify that the provider explicitly offers HIPAA-compliant cloud hosting or dedicated server solutions. They should publicly document their HIPAA-relevant controls, such as data encryption, backups, and IT environment isolation.
- Business Associate Agreement (BAA): The BA must sign a business associate agreement (BAA). The lack of a BAA is a HIPAA violation and renders any agreement non-compliant. Clinicians should not work with cloud providers who will not sign a BAA.
- Third-Party Audits: Look for providers with SOC 2 Type II reports or ISO 27001 certifications. They should be transparent with vulnerability scans and penetration test results.
- Regulatory Safeguards: They should provide evidence that they are implementing all safeguards required by the HIPAA Security Rule, including physical security measures for systems that store ePHI.
- Backups: Your cloud providers should provide automated, encrypted, and immutable backups to protect eHPI. They should also have tested disaster recovery procedures that allow ePHI systems and data assets to be recovered quickly to meet HIPAA availability requirements.
- Geographic Redundancy: CEs can improve resilience by working with a partner that provides storage across multiple geographic regions.
- Logging and Monitoring: The cloud partner should monitor the environment to quickly identify and resolve issues. They must perform centralized logging and secure audit trails to meet regulatory requirements. Their log retention policies must align with HIPAA guidelines.
- Technical Support: You want to work with a partner that provides 24/7 support and strong service-level agreements (SLAs) for system uptime, incident response, and problem resolution. The BA should have dedicated security response contacts and a well-defined breach escalation procedure.
What should a business associate agreement cover?
You must choose a cloud partner willing to sign a comprehensive BAA that covers all aspects of your business relationship, including HIPAA compliance. HIPAA compliance requires a coordinated effort between the CE and BA, and the agreement establishes the responsibilities and expectations for each party. BAs must also enter into BAAs with their subcontractors. The BAA covers the permissible use and disclosure of ePHI, as well as the specific security measures to protect it.
A comprehensive BAA should cover the following elements.
- Identify Roles: It must clearly identify the CE and BA, along with their roles, to avoid ambiguity that can lead to compliance gaps and HIPAA violations.
- Permissible Uses: It must specify exactly how ePHI may be used or disclosed and limit access to the minimum level necessary to perform the services.
- Security Safeguards: The agreements must specify how the BA will implement the Administrative, Physical, and Technical safeguards defined in the HIPAA Security Rule.
- Breach Notification Terms: The BAA must define breach and security incident notification terms and timeframes.
- Access Control: It must document the implemented access control and identity requirements
- Audit Rights: The agreement must define the CE’s audit rights and the availability of compliance evidence for audit compliance.
- Data Lifecycle Management: It should provide details on data encryption, retention, the return of ePHI upon contract termination, and the secure deletion methods used to safeguard obsolete patient data.
- Termination Clauses: The BAA should allow the CE to terminate the contract if security vulnerabilities or HIPAA violations are identified and not promptly remediated.
- Indemnification: A strong BAA will include provisions for breaches caused by the BA and well-defined liability caps.
- Incident Alignment: Finally, the BAA should include incident response and breach notification timelines aligning with HIPAA requirements.
Two essential steps to ensure data security
Most cloud environments operate under a shared security responsibility model. The cloud provider is typically responsible for securing the cloud infrastructure, with the customer, in this case a CE, being responsible for the security of the data stored there. CEs must implement the following two practices to safeguard their cloud data.
Multi-factor authentication (MFA)
All access to ePHI and the systems that store it must be protected by MFA to prevent threat actors from using compromised credentials to gain unauthorized access. Users must use more than just a password to interact with ePHI assets. MFA may be accomplished via a simple method, such as a verification code sent to a secondary device, or via more complex biometric solutions, such as fingerprints. CEs should work with their BAs to implement MFA for all ePHI access requests.
Role-based access control (RBAC)
CEs should work with their BA to implement RBAC to limit access to ePHI. Companies should adopt a least-privilege mindset, granting users access only to the data they need to perform their jobs. For example, schedulers may require access to some ePHI, such as names and addresses, but should not be able to view patient care data.
The benefits of managed services
Small health care organizations with limited IT teams have the same compliance responsibilities as large, tech-savvy companies. One of the most important decisions a CE should consider is engaging a BA that offers managed services to handle the day-to-day activities necessary to support a HIPAA-compliant environment. Managed services enable the CE to focus on delivering superior healthcare, knowing that the technical requirements are met to maintain HIPAA compliance and protect ePHI.
The managed services typically offered by providers of HIPAA-compliant cloud hosting solutions include managing infrastructure and platforms to ensure stability and compliance. The provider can manage the environment’s security and access management, as well as patching systems to address known vulnerabilities. Providers can manage backup and disaster recovery to ensure business continuity. Customer support should be provided, including SLAs for incident response, compliance, and risk management assistance.
Engaging managed services from a reputable provider eliminates these technical and administrative tasks, allowing you to concentrate on your core healthcare activities.
Conclusion
Physicians and small health care organizations can address HIPAA compliance in the cloud by working with a qualified provider acting as their business associate. The keys are to find the right partner and understand your responsibility in securing ePHI. Together, you and your partner can ensure HIPAA compliance, protecting your patients’ data and your business from non-compliance violations.
Chris Shyrock is Director of Support Services,
Chris brings expertise in operational efficiency and client relations, ensuring that Atlantic.Net customers benefit from a seamless experience while accessing secure, scalable, and innovative cloud solutions. His work is integral to the company’s mission to empower businesses with cutting-edge cloud technology backed by award-winning support.





