Even though HIPAA identifies cloud service providers as business associates, the responsibility of ensuring compliance falls most heavily on the shoulders of the healthcare organization. Many cloud service vendors are HIPAA-compliant, but it’s not always a default requirement — more like a check-box feature.

It is important to know the difference between the cloud storage options available to you, whether you are debating if it is time to upgrade your free options or if you have been paying for data storage for awhile. The main cloud storage options that are available fall into 3 categories: public, private and hybrid clouds.

HIPAA Compliance as a service in itself is a misnomer because compliance is not a feature you package and sell. It is built around the assessment of a third-party auditor and is not something a vendor can certify. Offering compliance as "a feature" is just another way for cloud providers to get more money for less value. You should consider these reasons why organizations should be wary of a service provider that offers "HIPAA compliance as a feature".

It all seems pretty straightforward from the outside looking in, but the truth is, there are many variables in the relationship between a covered entity and their CSP. For example, what is meant by compliance as a service? What are the risks in choosing a public cloud over a private one?

New rules specifically called out cloud providers as business associates, stating these companies serve to store records on the behalf of covered entities, so they should take steps to protect that data.