The HIPAA-compliant cloud | Addiction Professional Magazine Skip to content Skip to navigation

The HIPAA-compliant cloud

October 6, 2014
by Asaf Cidon
| Reprints
Asaf Cidon

Addiction professionals hardly need the Health Insurance Portability and Accountability Act (HIPAA) to tell them how important it is to safeguard the records of their clients. Perhaps more than workers in any other field, addiction professionals understand how sensitive this information is and how disastrous it would be if their clients' files became public or fell into the wrong hands. A single data breach, they know, could lead to dozens or even hundreds of ruined lives.

Still, HIPAA formalizes the requirement to protect patient data, with violators facing potential fines of up to $1.5 million, plus civil liabilities and a damaged reputation. And while new technology has made it easier to store and share documents, this free flow of information actually makes it more difficult for care providers to stay HIPAA-compliant.

Take the cloud, for instance. Cloud-based file-sharing sites such as Dropbox, Box and Google Drive all allow users to sync their documents across multiple devices and share them seamlessly with other users. An addiction therapist might take notes on a tablet during a patient session, later annotate those notes on a laptop, and then share them with the patient’s primary care provider, who views them on a desktop computer in her office.

The problem is that none of these file-sharing services are compliant with HIPAA. Dropbox and similar services encrypt documents while they’re stored in the cloud, but the files are unprotected again as soon as they’re downloaded to a device. E-mail, which isn’t as versatile or useful as these services anyway, also is not compliant unless the files are encrypted. Therefore, care providers often resort to faxing or even snail-mailing documents to each other, completely losing out on the productivity boost that the cloud can help provide.

The good news is there are ways to make the cloud compliant with HIPAA. One option is to invest in a dedicated software product specially designed to encrypt documents shared through cloud-based services. This kind of software creates a compliance “shield” around files stored on Dropbox, converting files into HIPAA safe havens. The files are encrypted even when they are synced to new devices or shared with other users, meaning that they are protected no matter where they reside.

These file-protection software products also allow users to control and revoke access to files, and to audit them in order to see who has opened or shared them—an essential component of HIPAA compliance. Also, because only trusted users can open documents protected by the software, there is no risk of accidentally sharing files with unauthorized third parties (which might otherwise happen if someone makes an error in typing an e-mail address, for instance). Best of all, these software solutions are straightforward and easy to use.

The federal 42 CFR Part 2 regulation further limits disclosure of information about patients in substance abuse treatment. File encryption software allows the patient to designate which people can be granted access to sensitive information. It provides end-to-end encryption for addiction professionals storing and retrieving information from their desktops and mobile devices, or sharing them with other authorized colleagues.

Other protection options

Although file-protection software offers the simplest and most effective way to store and share files safely, it is not the only option. Some organizations try to approximate the cloud by setting up their own file servers. Others use a cloud-based file-sharing service and then protect their files by encrypting all of their devices.

No matter which solution one chooses, a “compliant cloud” can dramatically boost productivity by streamlining the way a practice's documents are stored and shared, while meeting HIPAA regulations. Most obviously, backing up all data on the cloud ensures that one never will accidentally destroy a single patient file. In the event of a flood or fire, even if all paper files and computing devices are ruined, all documents can be retrieved if they have been backed up with a service such as Dropbox.

The ability to sync documents across a number of devices is also helpful, especially if a professional conducts work in more than once place. But the ability to share files instantly and safely is probably the biggest draw of the compliant cloud for addiction professionals. Therapists and counselors often work as part of larger networks and they frequently need to send patient files to other providers. Faxing and postal mail aren’t just slow and inefficient—they’re also time-consuming and expensive. A switch to the compliant cloud can save hours of administrative work each week, and eliminate the cost of postage or a dedicated phone line for a fax machine.

The consumer and business worlds already are taking advantage of the benefits the cloud has to offer. By making the cloud compliant with HIPAA, addiction professionals can reap these benefits, too.


Asaf Cidon is CEO and co-founder of Sookasa, a company whose mission is to allow businesses to control their data securely via the cloud with a product that encrypts, audits and controls access to files stored on Dropbox. He is a Stanford PhD candidate, specializing in mobile and cloud computing.