Cloud storage is a network of remote servers that allow for centralized data storage and online access to these resources. Your files are stored on a server connected to the Internet instead of being stored on your own computer’s hard drive or data center. This eliminates the need to purchase hardware equipment to store files or to upgrade your hardware to get extra storage space—or the need to delete old files to make room for new ones. The cloud is convenient and cost-effective, providing a way to automatically back up your files and folders.

The cloud can be a safe and appropriate method of data storage, but the safety level of the cloud, and whether it’s appropriate for use, depends on the vendor.

The decision to use the cloud to store HIPAA-protected records should not be made until substantial due diligence has been performed on the cloud service provider. Keep the following issues in mind:

• Are the vendor’s security standards appropriate? Make sure the company has a good reputation and solid security policies. You are entrusting the provider to store your information, so the extra time spent researching and comparing providers and their security practices will pay off in the long run.
• How much data will you be storing? Many companies charge by the amount of storage you use, so understand what your needs are before choosing a vendor. Ensure the vendor can handle the amount of data you would like to move to the cloud.
• Ensure your data is encrypted when being uploaded to or downloaded from the cloud. This is also your responsibility. Make sure your browser or app requires an encrypted connection before you upload or download your data. Also ensure all devices that contain PHI are encrypted.
• Most importantly, make sure your HIPAA-protected data is encrypted when stored in the cloud. Data protected by law, such as medical information or personal identifiers, should never be stored in the cloud unless the storage solution is encrypted. Many cloud service providers store data on a cloud server with no encryption, meaning anyone who has (or can get) high-level access to that server will be able to read your files. Carefully review the specific terms of service within your agreement with the provider to ensure it guarantees encryption of all of your stored data.
• Select which members of your organization will be able to decrypt the data, and create policies detailing under what circumstances information can be decrypted.
• Understand how access is shared in your cloud folder. Many cloud storage providers allow you to share access to your online folders. Be familiar with the details on how that sharing works. Is access read-only or can the user edit the file? Can you identify the last person to edit a file? Awareness of who has access, and how access is gained, is critical to monitoring activity within your stored data.
• Understand your options if the cloud provider is hacked or your data is lost. Virtually all cloud service providers require a user to sign an agreement that contains a terms of service provision. In most cases, these agreements provide that the user has very little, if any, remedy if a hack or a loss of data occurs. Pay attention to what rights you have given up and make sure you are comfortable with that decision.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.