10 questions to ask to ensure your cloud services provider is HIPAA compliant

In Security by Shelly Kramer1 Comment

More companies are looking to the cloud for business and data storage solutions, especially those in the healthcare space. If your business must be HIPAA compliant, these 10 questions to ensure HIPAA compliance might save you some major headaches down the road.

HIPAA, the Health Insurance Portability and Accountability Act, is one way that security and privacy is regulated. It was enacted to protect patient privacy, much of which is now stored online. HIPAA compliance refers to the minimum requirements for any business or service that stores patient data, such as doctors and hospitals, pharmaceutical companies, and government contractors. Cloud providers can offer solutions for storing and accessing this data, but they are also as vulnerable to data breaches and risks as anyone else. Providers must be meticulous in making sure they are compliant with HIPAA requirements. However, as a client, it’s important that you also take responsibility for verifying whether your cloud provider is following compliance guidelines.

It’s pretty much a given that cybersecurity must be a top priority for both businesses and their cloud technology providers. HIPAA regulations add a deeper dimension to cloud security–the ramifications of compromised data are huge and could cost a company much more than a tarnished reputation. Understanding how to properly assess a prospective vendor for HIPAA compliance is critical. Here are 10 questions to ask when looking for the right cloud provider.

1. Does your cloud provider have the right policies in place? A cloud services provider must have a program that meets specific security policies and procedures as mandated by HIPAA. One such policy is a Business Associate Agreement (BAA) that sets forth a specific set of guidelines for HIPAA compliance for all parties, including sub-contractors, involved with storing data. With a BAA, cloud providers and all associated parties are liable in the event of data loss or theft. Make sure all the companies handling your data sign a BAA.

2. Do they have a dedicated staff for HIPAA compliance? Your cloud services provider should have dedicated employees on-site working to ensure HIPAA regulations are met. This way, you can have peace of mind knowing that your cloud services provider works around the clock to monitor compliance and delivers a consistently high level of security.

3. What is the encryption process for data? Your provider must guarantee that the transfer of data to and from the cloud is encrypted and secure. HIPAA dictates that FIPS-140-2 encryption is in place for any ePHI (electronic protected health information) that is in transit. There should also be an encryption for data that is at rest in SANs (storage area networks), on local drivers, and for backups on hard drives.

4. Do they have access controls? Preventing hackers doesn’t just involve encryption. Measures must also be in place to prevent any internal breaches. Master keys and electronic IDs are two ways in which the provider could safeguard security and limit data access. Biometric scans, such as fingerprint or eye scans, are becoming increasingly popular with tech firms, and that’s a good thing for clients. .

5. Do they offer offsite backups? HIPAA also requires that secure offsite backups are in place. This is key to keeping data safe in the event of something catastrophic that could lead to loss or theft.

6. What security awareness training processes do they have in place? Cloud providers need to consistently assess procedures to make sure they are operating within HIPAA regulations. Providers need a structured and up-to-date program to ensure their employees and clients are familiar with all potential security issues. These programs will also need to be updated as HIPAA regulations change. Human error is one of the main sources of security breaches, so it’s important that the vendor you select understands the importance of ongoing training.

7. What additional credentials or certifications do they have? HIPAA compliance is never guaranteed, however, having other qualifications can go a long way to help clients feel secure. Good questions to ask your prospective cloud service provider should include whether they have additional certifications such as:

–        SOX compliance

–        PCI DSS compliance

–        SSAE-16

–        SAS70 type II

8. How do they meet data encryption standards? As mentioned before, providers need to encrypt any data in transit to and from the cloud to make it secure. This also means keeping up with the latest encryption standards and not falling behind industry best practices. Security and encryption are likely at the very top of your list of concerns, so be sure to make this question an important part of the conversation.

9. Do they have a disaster recovery plan? Whether it’s a natural disaster or man-made, any managed service provider must have a plan in place to deal with data recovery in order to stay compliant. This should be well documented and their staff should have immediate access so proper processes and procedures can be put into action immediately. Ask for a copy of a vendor’s disaster recovery plan as part of your evaluation process.

10. Do they maintain regular internal audits? HIPAA looks closely at whether or not you are performing regular audits on your own vulnerabilities, although the definition of ‘regular’ is not spelled out. Both monthly and quarterly internal reviews are recommended, as well as periodic and annual third-party assessments. As part of your evaluation processes, ask about your prospective vendor partners’ internal audit schedule. Once you’ve selected a cloud services vendor, ask to be notified whenever an internal audit is performed. If that doesn’t happen at least every quarter, consider asking for that.

Tech advances and innovations like cloud services are a huge boon to many businesses, including the healthcare industry. However, the advantages bring an increased risk of cyber threats to patient data. For organizations and the managed service providers with whom they work, it’s vital to make sure all the security measures and HIPAA requirements are in place.

Technology and innovations will continue to make our lives easier, but will also make us more vulnerable. Security will continue to be a top priority as the stakes become higher. Hopefully these questions might help you as you navigate the waters of selecting the best vendor partner for your cloud technology needs.

Other resources on this topic 

Your Guide to Compliance in the Cloud
Due Diligence Processes for Cloud Computing Compliance

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

photo credit: who will fight for the privacy of visitors? via photopin (license)

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”


  1. Pingback: 10 Ways To Ensure Your Cloud Provider Is HIPAA-Compliant

Leave a Comment