7

I was looking into storing SQL DB backups of a healthcare system in the cloud in the event of a disaster to be HIPAA compliant. The solution I came up with was to use Cloudberry backups. What I would want to do is export the SQL DB on my local computer, use a passphrase in the Cloudberry config and the highest encryption settings, and upload to S3 nightly. This data will be at rest.

From what I read in the past this seems acceptable, and the statement below makes it sound acceptable as well but I want to be sure.

A PDF on the Cloudberry site states this:

Leveraging Amazon S3 as a HIPAA-compliant storage platform - The Amazon S3 platform offers a cost-efficient alternative to store your customers’ digital records. All incoming data is automatically duplicated across several distinct locations to provide high durability and availability of customer data. The implemented encryption algorithms protect the confidentiality of in-transit (inbound and outbound) and “at-rest” (resident) data as required by the HIPAA provision. The industry-grade authentication helps delegate specific access control permissions to different user and administrator accounts.

I've read about BAA (business associate agreements) and other things, which some people suggest, and some say is unneccessary. I figured it would just be best to ask the professionals - is this method of backing up HIPAA data to the cloud compliant?

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
cutrightjm
  • 1,714
  • 4
  • 18
  • 31

1 Answers1

5

If you're using CloudBerry backup, enable the client-side encryption so that the files are encrypted before they reach Amazon S3.

Encrypted Data outside of HIPAA scope

You do not need a Business Associate Agreement (BAA) if you are sending encrypted data to a third party provider. Note this encryption must be done with FIPS 140-2 compliant ciphers such as AES-128. Essentially, under HIPAA, encrypted PHI data does not fall under the scope of the law's protection, so long as it is done with approved ciphers. If only encrypted data is compromised, you do not need to notify anyone of the breach.

If unencrypted, get a BAA

Amazon does now offer HIPAA-compliant hosting packages, so if you want to have data unencrypted at Amazon, you would need to sign off on their BAA (provided boilerplate via a web form). I strongly disagree that a BAA is unnecessary for a cloud provider you are storing PHI data with -- I've been through many HIPAA audits from third-party certification companies and they always ask about this. You would then also need your own documentation and security policy to reflect this relationship and document safeguards around the PHI.

Source Material

HHS provides information about encryption and breach notification here

Information about BAAs is provided by HHS here.

Herringbone Cat
  • 4,242
  • 15
  • 19
  • Thank you, I appreciate the help. Do you have a source for the encrypted data being stored on AWS, or a decent website I can read about HIPAA in general? Most of the websites I have found are just bits and pieces. – cutrightjm Jul 28 '15 at 01:21
  • I've edited the post to supply some primary sources. I'm reluctant to supply you with any third-party sources because much of HIPAA is vague and subject to interpretation. Also, many HIPAA requirements revolve around documentation and policies. In this case, there's no substitute for a lawyer. – Herringbone Cat Jul 28 '15 at 18:31