Is there a HIPAA/HITECH compliant cloud audio storage secure to store clinical research interviews? Can you provide a list of cloud services?
What is HIPAA/HITECH? HIPAA/HITECH refers to two laws: HIPAA is the acronym for the Health Insurance Portability and Accountability Act (1996); and HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act (2009).
Researchers that use personal health information (PHI) or electronic PHI (ePHI) are subject to HIPAA/HITECH and require a compliant cloud storage service to backup, store, and share their research data. In 2019, most popular cloud storage services are HIPAA/HITECH compliant: they comply with HIPAA Security Rule and are willing to sign a Business Associate Agreements (BAA).
Before I share a few cloud storage service providers I’d recommend you consider, a few tips/thoughts on securing your research data.
Minimize and Secure Endpoints
Endpoints are end-user devices, such as voice recorders, mobile devices, laptops, and desktop PCs. Data breaches are most likely at these endpoints – and not at the cloud storage service. Securing them is the most important step you can take to comply with HIPAA/HITECH.
Consider if you need your mobile devices to have access to your sensitive research data. If it’s not absolutely necessary, don’t grant access. For instance, there’s no reason for your mobile phone to have access to your research interview transcripts.
You also need to store your devices in secure locations – under lock and key. Don’t leave your laptop/voice recorder unattended on the coffee table!
Password protect and encrypt all end points. Get a voice recorder that has password protection and encryption features (here’s a list of encrypted voice recorders I recommend) – and use them. Most computer operating systems, Mac OS and Windows, offer full disk encryption – use them. Also enforce 2 factor authentication for cloud storage access on all devices. Remember that HIPAA/HITECH compliance is taking steps to ensure that ePHI is still protected even when data breaches occur. Which segues to my next tip.
HIPAA/HITECH Compliance is a Practice
It’s something that you’re always do(ing). Simply signing a Business Associate Agreements (BAA) with your cloud storage provider does not mean that you’ve complied with HIPPA guidelines. It’s just one of step in a very long journey. And keep in mind that the responsibility does not just lay with your online cloud service to protect your data. In fact, their compliance standards only go so far as to ensure ePHI is safe while in storage and transmission. Online could services do not control how your research team treats protected health information. You do.
So, it is your responsibility, as the covered entity, to ensure that your cloud storage is configured correctly and HIPAA Rules are followed. And when choosing a HIPPA compliant online storage service, please ensure that the service provides all the necessary security controls to comply with the HIPAA Security Rule: including data encryption at rest and in transit, audit controls, and configurable administrative controls that allow you to monitor access, usage and data edits by team members and third parties, and set appropriate access and authentication controls.
Here are 3 HIPAA/HITECH cloud storage and backup services that I recommend.
The first service is Google’s G Suite – this is the service that we use at Weloty for all ePHI data. For a few reasons. G Suite is more than just a cloud storage service, they have a number of other services, most crucially Gmail, that are also covered by the BAA. And that is a major advantage of G Suite over other HIPAA compliant cloud storage services.
Google also provides you with a very handy guide of how to set up and use G suite to comply with HIPAA. I encourage you to read their HIPAA implementation guide even if you don’t plan to use G Suite to store and share your research data.
Finally it’s very easy to add/remove team members to your G Suite account, which means it’s very easy to scale up or down as your research project grows or winds down. You can start of as a single user, most other cloud storage services require a minimum of 3 users.
The only downside to G Suite is that you’ll have to spend time setting up your account apps, notifications, user permissions, audit logs etc to make it compliant – and the interface is not user friendly and can be confusing. But there’s a lot of online help guides – if you do need them.
While all of G Suite plans are HIPPA compliant, and Google will sign a BAA for all of their G Suite plans, you’ll need to get the G Suite Business Account which give you audit logs (required by HIPAA) for Google Drive. G Suite Business Accounts retail for $10 per user, per month (increases to $12 in April 2019). Get started with your G Suite Business Account 14 day free trial and use the coupon code below to get 20% off your first year subscription.
Dropbox is another HIPAA/HITECH compliant cloud storage service that we use and recommend. With Dropbox, you only get cloud storage, backup, and sharing of files. But, the admin interface is very user friendly. So, it’s very easy to set up and they have a handy user guide on how to set up your Dropbox account for HIPPA compliance.
Now, you’ll need to get an Advanced Business account which has the audit logs with file event tracking features (required by HIPAA). This feature allows you to monitor the file-level actions your team members are taking. The advanced business account retails at $25/user/month and has a minimum of 3 users. So at a minimum, it will set you back $75 per month or you can buy a yearly subscription at save 20% off. Get started with your Dropbox Advanced Business Account 30 days free trial.
If you are part of a large research team that needs to share ePHI research data, I recommend you look at Box. Box is another dedicated online storage, backup, and share data sharing service. Unlike Dropbox, it’s really built for large teams. Has granular user rights control and you can have different administrators that are in charge of subsets of your users.
Now, you’ll need to get an Enterprise or Elite account with Box, sign a BAA, configure Box and enforce policies within your team to meet HIPAA requirements. Box does not publicly disclose how much these accounts cost, but keep in mind that you’ll required to have a minimum of 3 users. For an Enterprise account, contact Box.com.
In conclusion, I’d recommend G Suite for researchers that run small teams, are on a budget, and are willing to spend time to configure the service to HIPAA requirements. However, if you require an easier to use service, and are willing to pay extra, Dropbox is for you. For larger teams, I recommend Box.com.
That’s it for this post. Hope you’ve found it useful. If you have any suggestions, comments or questions, feel free to post them in the comment section below. And keep us mind for all of your HIPAA compliant qualitative interview transcription needs.