Patient safety is the highest priority at health care and life science institutions. Nextcloud makes patient information available to healthcare professionals when they need it through an easy-to-use interface with the highest degree of reliability, security and privacy at reasonable cost.
Analysis: data in healthcare
We recommend to keep sensitive data on your own infrastructure instead of in a public cloud as the easiest and most cost-effective way of ensuring compliance.
You need 100% certainty
Email or public cloud solutions do not provide much security for sensitive data. Encryption is complicated and cumbersome to use, reducing the real benefits due to employees working around them or making mistakes.
Keeping data on your own infrastructure means you stay in control. Only then can you show your clients exactly where their sensitive documents are. Regulators can be certain that non-compliance with proper process is minimized.
Public clouds are not a safe solution
Most consumer-grade solutions like Dropbox or Office 365 were not designed with privacy regulations and security concerns in mind, mixing data from consumers and businesses, spread out in data centers across the globe.
Rather than trying to work around their limitations, Nextcloud Files provides a security-first solution which puts you in complete control over the location and access policies of data with a private cloud solution.
Nextcloud meets all Technical Safeguards requirements, supporting full compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Nextcloud is committed to ensure its software keeps PHI (Protected Health Information) private and secure. We have implemented features, policies and procedures designed to ensure compliance with Federal and State information security laws, regulations, and rules, and monitor ongoing compliance efforts.
- Advanced Access Control capabilities
- Automatic expiration of passwords
- Account lockout upon multiple failed log-in attempts
- Automatic virus scans
- Secure data backups
- Audit-ready logging of all user actions
- Data-at-rest, in-transit and full end-to-end encryption
- Email verification and two-factor authentication
The self-hosted nature of Nextcloud ensures Nextcloud usage does not change existing compliance of infrastructure, provided features and capabilities are employed as required by HIPAA and other legislation. Nextcloud can advise in implementing a HIPAA compliant setup.
Nextcloud services are designed not to require that our employees gain access to any customer data. In case this is required for specific support cases, confidentiality agreements are signed with all employees and extensive security processes are in place to log, investigate and report any breaches.
We understand that keeping your client’s information safe is of the utmost importance and Nextcloud GmbH will continue to provide its software and services in accordance with the relevant requirements of all state and federal laws and regulations, including, as applicable, HIPAA.
What are HIPAA and HITECH
The Health Insurance Portability and Accountability Act is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
HIPAA mandates industry-wide standards for protection and confidentiality of protected health information (PHI), both technical and in terms of processes.
the HITECH Act widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.
- HIPAA combined regulation text
- HIPAA FAQ
- HIPAA privacy rules
- HIPAA security regulations
- HIPAA security technical safeguards requirements
Nextcloud fits seamlessly in a HIPAA compliant infrastructure. More details below.
The GDPR (General Data Protection Regulation) makes organizations liable for any violations of user privacy and deviations from a high data security standard.
Legislation like the CCPA (California Consumer Privacy Act of 2018) brings similar regulation to other countries.
The self-hosted Nextcloud solution simplifies compliance, decreasing business risk and costs.
Making compliance easy
The software offers everything you need for GDPR compliance.
Compliance is a multi-step process and data can be in many locations. Our documentation helps administrators check if they have covered their bases and guides them through delivering on data access, modification and deletion requests.
We offer both a high level overview as well as hands-on, concrete documentation for administrators:
- A 12-step compliance checklist
- An extensive, over-20-page Administrator manual
All bases covered
- How the GDPR data processing allowances apply to Nextcloud and when, where and how to ask for permission
- How to deal with public, in-house and B2B Nextcloud servers
- An overview of where personal data can be stored in Nextcloud, covering user accounts, monitoring and logs, apps, file storage, database, backups and more
- How to handle consent, subject access requests, data deletion and more
- An addendum covering popular apps and their GDPR compliance consequences
- Personal rights and how to implement this in Nextcloud
GDPR Compliance Apps
To make compliance easier, Nextcloud offers a number of Compliance apps and capabilities.
- Configurable imprint and privacy links for your login page
- Data Request app to allow users to request data deletion or modification from their user settings
- Delete Account app to allow users to delete their account
- Terms of Service app that only gives access to Nextcloud after users read and agreed to terms (handles updated terms as well)