[SNAPSHOT] WPMU DEV Could - HIPAA Compliant?

My site has to be HIPAA Compliant. I want to use managed backup option in Snapshot.
Is your cloud HIPAA compliant?

  • Josh-VisionIntoDestiny.com

    Ran into this before. This is what I know about the HIPAA storage compliance...

    Cloud-storage services must sign a business associate agreement (BAA) with the healthcare organization that stipulates the vendor’s compliance with HIPAA requirements. So it isn't Snapshot the plugin that needs to be HIPAA compliant, it is your storage destination that needs to be compliant. Your files also need encryption in transit to the storage destination.

    5 cloud storage services that are HIPAA-compliant

    HIPAA does not prescribe specific methods or tools for how to secure data; however, encryption is encouraged as a best practice. Breached data is not considered unsecured if the PHI “is rendered unusable, unreadable or indecipherable to unauthorized individuals.” According to HIPAA guidance by the Department of Health and Human Services (DHHS), encryption processes that follow NIST (National Institute of Standards and Technology) criteria meet the above requirement.

    Some cloud services, including iCloud, don’t provide BAAs, while others don’t encrypt data both at rest and in transit. Some services, such as Amazon S3, are not HIPAA compliant out-of-the-box but can be configured with some customization.

    The following cloud storage services offer HIPAA support that include BAAs and encryption of data in transit and at rest:

    Dropbox (Business)

    The company announced support of HIPAA and HITECH Act compliance in November 2015. It now provides BAAs for Dropbox Business customers. Administrative controls include review and removal of linked devices, user access, user activity reports, and enabling two-step authentication.

    The business version costs $12.50 per month per user, starting with five users. It includes unlimited storage and file recovery, Office 365 integration, advanced collaboration tools, system alerts and granular permissions.
    Box

    Having added HIPAA/HITECH support in 2013, Box has been actively marketing to healthcare customers. BAAs are provided for enterprise accounts. Features include access monitoring, reporting and audit trail for users and content, and granular file authorizations.

    Box integrations include Office 365, DocuSign, Salesforce, and Google, among others. It also allows for securely viewing DICOM files (for X-rays, CT scans and ultrasounds) and for securely sharing data through a direct messaging protocol.
    Google Drive

    Google offers a BAA for Google Apps for Work customers. Covered apps include Docs, Sheets, Slides, and Forms as well as several other services such as Gmail. (Some core and all non-core apps from the Google App family are excluded.) Administrative controls include account activity and app activity tracking, audits, and file-sharing permissions.

    Google Apps for Work offers two plans. At $5 per user per month, it includes 30GB of storage space. The $10 per user per month plan has unlimited storage (or 1TB per user if fewer than five users) and several advanced features such as additional administrative controls, audit and reporting for Drive, and Google Vault for eDiscovery.
    Microsoft OneDrive

    Microsoft supports HIPAA/HITECH by offering BAAs for enterprise cloud services, and it has some of the best security practices in the industry. The security features are the most robust at the Enterprise E5 level, which costs $35 per user per month.

    Enterprise E5 includes 1TB of file storage and sharing, advanced security management for assessing risk and gaining insights into threats and advance eDiscovery.
    Carbonite

    BAAs are provided for Carbonite for Office customers. Safeguards include offsite backup for disaster recovery; compliance with the Massachusetts Data Security Regulation, which the company says is widely accepted as the most stringent data protection in the country; and data encryption both in the cloud and on the local endpoint (as well as in transition).

    Three office plans are offered, ranging from $269.99 to $1,299.99 per year. The first two tiers include 250GB of storage and the ultimate version has 500GB; additional storage packs can be purchased with all plans.
    Your vendor’s HIPAA certification is not enough

    The fact that a cloud storage provider offers BAAs, specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

    This is how Microsoft explains it: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

    HIPAA covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. Ultimately, the covered entity or business associate is the one responsible for making sure all it’s regulatory mandates are being followed.

    Making sure the PHI is encrypted in the cloud is only the first basic step. OCR also places an emphasis on risk assessment and management. Prior to adopting any new cloud service, organizations should conduct a comprehensive risk assessment and ensure policies, processes, and technology are in place to mitigate risks. To learn more about how to implement a HIPAA compliance program, download a HIPAA and HITECH Cloud Compliance Cheat Sheet.

  • Adam Czajczyk

    Hello Gabe

    I hope you're well today!

    I think Josh already share a very helpful information with us (thanks Josh-VisionIntoDestiny.com !) so let me just address the WPMU CLOUD part.

    Our cloud, where the Managed Backups are stored, is based on AWS which is HIPAA compliant and, as Josh, explained the "end user" doesn't need to sign up any additional agreement with AWS.

    Please note though: I'm saying that based on an information that I got from our developers and on Amazon docs. Please consider consulting a legal professional to make sure that this is right approach in light of the laws of your country.

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.