{"id":2550,"date":"2013-07-30T00:00:00","date_gmt":"2013-07-30T00:00:00","guid":{"rendered":"http:\/\/otava.test\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/"},"modified":"2013-07-30T00:00:00","modified_gmt":"2013-07-30T00:00:00","slug":"no-encryption-or-baas-keep-phi-off-unsecure-clouds","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/","title":{"rendered":"No Encryption or BAAs: Keep PHI off Unsecure Clouds"},"content":{"rendered":"

Google Drive, formerly Docs, is a free collaboration tool that can be used to store and manage large amounts of data – unless that data falls under the scope of protected health information (PHI); that is, personal patient health record data.<\/p>\n

Recently it was revealed that Oregon Health & Science University (OHSU) kept a Google spreadsheet to maintain and exchange information about patient admissions to the hospital under the Division of Plastic and Reconstructive Surgery, as well as within two other urology and kidney transplant departments. About 3k patients were listed – while there was no reported data breach, merely the discovery of the unsecured cloud data was enough to require breach notification under HIPAA.<\/p>\n

While the popular online document storage service is a classic example of what cloud computing<\/a> can provide, it cannot meet the security requirements desired by the HIPAA mandate that was recently updated to include data storage\/cloud service providers within the scope of liability. HIPAA comes with fines and penalties for data breaches of patient information.<\/p>\n

Cloud service providers are now considered business associates, meaning they must sign a business associate agreement (BAA) with healthcare clients that use their services (Google does not \u00a0currently sign BAAs).<\/p>\n

Additionally, encryption of data at rest and in transit is an addressable but highly recommended aspect of meeting HIPAA compliance, and it also makes a healthcare organization exempt from the HIPAA Breach Notification Rule, primarily because encryption renders data unreadable even if accessed by unauthorized individuals. Google does not encrypt files stored on Google Drive.<\/p>\n

When contracting with a HIPAA cloud provider<\/a>, ask them if they provide encryption and at what level. Check their HIPAA audit reports and risk assessments if they have them, and ask which technical security services can help them fulfill HIPAA requirements. Make sure their BAA addresses who has access to the data, how data is handled after service termination and breach notification policies. Read Five Questions to Ask Your HIPAA Hosting Provider<\/a><\/em> for a more detailed explanation of the questions to ask.<\/p>\n

\"HIPAA<\/a>For more about HIPAA security and cloud infrastructure, read our\u00a0HIPAA Compliant Hosting white paper.<\/a><\/p>\n

This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a\u00a0HIPAA compliant data center<\/a>\u00a0IT architecture, contractual requirements, benefits and risks of\u00a0data center<\/a>\u00a0outsourcing, and vendor selection criteria.<\/p>\n

Learn more about cloud security and private clouds in healthcare:
\nHow the HIPAA Cloud Protects PHI for Physician Software as a Service (SaaS)<\/a><\/em>
\nHow does the HIPAA compliant cloud support and enable progression of health IT and patient care? By creating a high availability, reliable data and application hosting infrastructure that\u2019s secure enough to meet healthcare industry data security compliance regulations, like the Health \u2026 Continue reading \u2192<\/a><\/p>\n

Encryption for the HIPAA Compliant Cloud<\/a><\/em>
\nMany cloud computing infrastructure as a service (IaaS) providers may provide log monitoring, antivirus, web application firewalls, SSLs, dedicated SANs and more for healthcare organizations, but often the missing ingredient lies in one key technical aspect: encryption. Encryption for healthcare \u2026 Continue reading \u2192<\/a><\/p>\n

References:
\nOHSU Notifies Patients of \u2018Cloud\u2019 Health Information Storage<\/a><\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

Google Drive, formerly Docs, is a free collaboration tool that can be used to store and manage large amounts of data – unless that data falls under the scope of protected health information (PHI); that is, personal patient health record data. Recently it was revealed that Oregon Health & Science University (OHSU) kept a Google spreadsheet to maintain and exchange information about patient admissions to the hospital under the Division of Plastic and Reconstructive Surgery, as well as within two other urology and kidney transplant departments. About 3k patients were listed – while there was no reported data breach, merely the discovery of the unsecured cloud data was enough to require breach notification under HIPAA. While the popular online document storage service is a classic example of what cloud computing can provide, it cannot meet the security requirements desired by the HIPAA mandate that was recently updated to include data storage\/cloud service providers within the scope of liability. HIPAA comes with fines and penalties for data breaches of patient information. Cloud service providers are now considered business associates, meaning they must sign a business associate agreement (BAA) with healthcare clients that use their services (Google does not \u00a0currently sign BAAs)….<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2550","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nNo Encryption or BAAs: Keep PHI off Unsecure Clouds | OTAVA<\/title>\n<meta name=\"description\" content=\"OHSU kept a Google spreadsheet to maintain patient data. While there was no data breach, the discovery of unsecured cloud data required HIPAA notification.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"No Encryption or BAAs: Keep PHI off Unsecure Clouds\" \/>\n<meta property=\"og:description\" content=\"OHSU kept a Google spreadsheet to maintain patient data. While there was no data breach, the discovery of unsecured cloud data required HIPAA notification.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2013-07-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"No Encryption or BAAs: Keep PHI off Unsecure Clouds\",\"datePublished\":\"2013-07-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\"},\"wordCount\":524,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\",\"url\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\",\"name\":\"No Encryption or BAAs: Keep PHI off Unsecure Clouds | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png\",\"datePublished\":\"2013-07-30T00:00:00+00:00\",\"description\":\"OHSU kept a Google spreadsheet to maintain patient data. While there was no data breach, the discovery of unsecured cloud data required HIPAA notification.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"No Encryption or BAAs: Keep PHI off Unsecure Clouds\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"No Encryption or BAAs: Keep PHI off Unsecure Clouds | OTAVA","description":"OHSU kept a Google spreadsheet to maintain patient data. While there was no data breach, the discovery of unsecured cloud data required HIPAA notification.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/","og_locale":"en_US","og_type":"article","og_title":"No Encryption or BAAs: Keep PHI off Unsecure Clouds","og_description":"OHSU kept a Google spreadsheet to maintain patient data. While there was no data breach, the discovery of unsecured cloud data required HIPAA notification.","og_url":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/","og_site_name":"OTAVA","article_published_time":"2013-07-30T00:00:00+00:00","og_image":[{"url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png","type":"","width":"","height":""}],"author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"No Encryption or BAAs: Keep PHI off Unsecure Clouds","datePublished":"2013-07-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/"},"wordCount":524,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"image":{"@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/","url":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/","name":"No Encryption or BAAs: Keep PHI off Unsecure Clouds | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage"},"image":{"@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png","datePublished":"2013-07-30T00:00:00+00:00","description":"OHSU kept a Google spreadsheet to maintain patient data. While there was no data breach, the discovery of unsecured cloud data required HIPAA notification.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#primaryimage","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-hipaa.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/no-encryption-or-baas-keep-phi-off-unsecure-clouds\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"No Encryption or BAAs: Keep PHI off Unsecure Clouds"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2550"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2550\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2550"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}