this article talks about some of the issues facing cloud services in a HIPAA environment, focusing on Dropbox.

A BAA (business associate agreement) is required when HIPAA information leaves your organization, which would include cloud storage providers. Dropbox (and Box) can do them for business customers but it is not free.
posted by noloveforned at 12:29 PM on August 8, 2018 [1 favorite]

HIPPA-compliance is expensive and a $0 budget is... unrealistic to say the least. I think you'll need to ask for more budget. Given that the cost of defending a lawsuit is several orders of magnitude more expensive than compliance, you should have a pretty air-tight case for getting that budget.
posted by Aleyn at 12:56 PM on August 8, 2018 [2 favorites]

what do you need to accomplish?
posted by entropone at 1:26 PM on August 8, 2018

I looked at Box, the least expensive option, and it will cost about $500 a year.

Are you positive about that? Box requires an enterprise or elite account for HIPPA compliance, and 500 seems really, really low for an enterprise contract.
posted by Fidel Cashflow at 1:51 PM on August 8, 2018 [1 favorite]

Consider AWS S3 even if it seems like a huge bundle of opaque complexity. A lot of work but has incredible security and authorization granularity and tools to provide to different groups and users.

from faq "Is AWS HIPAA compliant"

There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule.
posted by sammyo at 1:53 PM on August 8, 2018

Do your partners have HIPAA-compliant document-sharing tools that they're already using, and that they could give you logins (or whatever) to?

How much of the information that you're sharing is private health information? Like, could you use SharePoint to distribute protocol info (or whatever)? Is it at all useful to still use the SharePoint account for non-patient info?

Also how often are you expecting your partners to upload/download the private health information? Is an always-on, accessible-both-ways SharePoint absolutely necessary or could you collect and disseminate the data weekly or monthly or something?

For $0 you may have to cobble together a bunch of different solutions; what particular combo works for you will depend a lot on your specific needs.
posted by mskyle at 1:54 PM on August 8, 2018

An app like S3 Browser for windows has a free option, and there is a full free year "trial" available for AWS. The rules (called IAM identity access management) are work to get right but document access over the S3 repositories would be free or very cheap. What kind of volume, 100's 10k's, more?
posted by sammyo at 2:52 PM on August 8, 2018

It's $5 per user per month so maybe this won't work for you but G Suite is HIPAA compliant.
posted by 6thsense at 4:10 PM on August 8, 2018

OneDrive for Business is HIPAA Compliant. It is dressed-up SharePoint in some ways. Apparently not so for consumer OneDrive.
posted by grouse at 4:20 PM on August 8, 2018 [1 favorite]

G Suite is not HIPAA-compliant at the basic, default level, though it looks like it isn't too hard to Accept the HIPAA Business Associate Amendment.

"G Suite and Cloud Identity customers who are subject to HIPAA and wish to use G Suite or Cloud Identity with PHI must sign a Business Associate Agreement (BAA) with Google."
posted by belladonna at 4:26 PM on August 8, 2018 [2 favorites]

The BAA is the kicker, and (I am way oversimplifying this here, but essentially) what makes electronic storage & transmission of PHI HIPAA-compliant. The terms of the BAA require more work for the service provider, so most cloud service providers charge extra for accounts that include a mutual BAA. The G Suite option may be the cheapest + easiest.

But! This probably isn't the first time your local health department has encountered the need to share PHI with outside partners. Are you sure they don't already have a solution for this?

Alternatively (and I recognize this is a longshot and much more work) is it possible to anonymize the data in the research study so that it's no longer PHI?
posted by rhiannonstone at 7:02 PM on August 8, 2018

I do information security for a large insurer. Based on what you stated and your follow-ups, you are out of your depth. You do not nearly have the expertise to think through this problem.

HIPAA mandates, in the simplest form, that data must be protected in transit and at rest. You're only thinking about half the problem, and you're being a cowboy with health data. The half your question ignores is what got Equifax burned. Rolling your own on the basis of 0 budget is unethical and negligent, full stop.

This is peoples health data. It cannot be revoked if compromised. You cannot reissue a new number. Think about that.

To directly answer your question, you want to a) use a managed file transfer (search term) service that is HIPAA certified. This would take care of transfer. B) you should have a dedicated research computer that you use antivirus on and do not browse the web or open emails on.

If this sounds inefficient, hire a security pro to tailor a solution to your business needs.

If you don't have budget for this, you do not have the appropriate equipment to conduct the study.
posted by bfranklin at 4:04 AM on August 9, 2018 [8 favorites]

Office 365 / SharePoint Online *can* be HIPAA compliant - but not for $0, it would only be compliant at an Enterprise subscription level - and you would also still have to sign a BAA with Microsoft.

Frankly - with a budget of $0, you simply cannot do this, unless you want your organization to end-up on the front-page of some security news site a year from now.
posted by jkaczor at 2:05 PM on August 9, 2018 [1 favorite]

This thread is closed to new comments.