What You Should Look For In a HIPAA Cloud Provider

When considering a new HIPAA cloud provider, healthcare entities need to ask key questions to ensure they will receive the top level ePHI storage security. OnRamp has compiled the key questions you should ask any potential cloud storage provider to ensure they meet your HIPAA compliant hosting needs.

Official HIPAA Compliance Processes

  1. Is the client infrastructure auditable?
    One of the most critical requirements for a HIPAA compliant hosting provider is the ability to facilitate an auditor’s risk assessment of the environment that houses ePHI. Because auditing requires physical inspection, an ideal data center will allow auditors to enter the facility to inspect the individual components that make up the IT environment and the critical systems that are in place to ensure the confidentiality, availability and uptime of the data that resides on this system.
  2. Will the provider sign a business associate agreement?
    In order to adhere to HIPAA standards, a BAA must be signed. A BAA, or a business associate agreement, must be validated between a HIPAA covered entity and a HIPAA business associate. The required BAA will acutely define responsibilities of each party in an effort to maintain compliance.
  3. How many of their clients are in healthcare and how do they facilitate HIPAA compliance with those clients?
    When trying to find the best HIPAA compliant cloud hosting provider, it is best that your provider has experience with healthcare customers. Navigating HIPAA compliance is tricky and a cloud hosting provider should be well-versed in addressing the dynamic needs of healthcare businesses. For example, cloud storage providers should be able to define responsibilities for each party in an effort to maintain compliance.
  4. Does the provider have a HIPAA compliance officer or a designated official responsible for HIPAA?
    As HIPAA Business Associates, cloud storage providers must have a designated HIPAA compliance officer or official who can be responsible for maintaining HIPAA compliance.

Private Clouds

  1. Does the service provider offer private clouds?
    When handling sensitive data like ePHI, a safe cloud environment is paramount. In some cases this is better achieved through a private cloud infrastructure. This should include highly secure, highly available dedicated servers with additional hardware and software that can offer protection from security threats, such as hyperjacking and DDoS attacks.

Security Awareness Training

  1. Does the provider have a structured security awareness program?
    A strong HIPAA compliant cloud storage provider will have in place a structured, well-documented program to conduct security awareness training. In compliance with the HIPAA Security Rule, the policies surrounding this program should be reviewed on a regular basis. As HIPAA requirements evolve and are updated, so too should the security awareness program be adjusted. This should all be part of an effort to continually meet HIPAA’s guidelines.
  2. Do they educate staff on their security awareness program?
    HIPAA compliance isn’t a one-and-done process; it requires attentive maintenance and attention to detail. Cloud providers should have a formal program in place to educate their staff on security procedures and offer ongoing training. Training should be conducted based on the individual’s level of interaction with ePHI or the systems in place to store this sensitive information.
  3. What is the vendor’s incident response process?
    Any quality cloud provider will have an incident response process available for clients. The process should be well-documented, readily available to staff, and have an established timeframe.


  1. Do they provide FIPS 140-2 Encryption for data in transit?
    Cloud providers need to be able to ensure FIPS 140-2 Encryption is applied to all ePHI in transit for unauthorized users, as dictated by HIPAA. Data should be rendered unusable, unreadable and indecipherable to any unauthorized users who may try and locate or access the data in transit. Any HIPAA compliant cloud provider should be able to facilitate this requirement.
  2. Does the provider do encryption at rest for SANs or local drives?
    Any cloud provider should also be able to offer encryption for ePHI at rest for SANs and local drives. Level of encryption for data at rest must meet certain requirements under HIPAA ex. AES 256 Bit Encryption. Confirm with any potential cloud provider that this can be maintained.

Business Continuity

  1. Does the provider offer secure offsite backups?
    Much like the safeguards around infrastructure, HIPAA asks that measures be taken to offer secure offsite backups. Designed to assist with data preservation in the case of a breach or disaster, cloud providers should offer offsite backups to clients looking to establish a cloud-based HIPAA solution to solidify data security.
  2. Does the provider offer disaster recovery or business continuity solutions?
    Ideally, the provider will offer disaster recovery or business continuity solutions to help mitigate the threat of downtime in the event of a disaster. A cloud service provider with multiple data centers that are geographically dispersed and on different power grids can help maintain high availability should such an event occur.

To learn more about HIPAA complaint cloud storage, consider OnRamp’s dynamic and multilayered security capabilities in private cloud storage.