Adelia Risk is a cybersecurity firm that helps small medical practices, billing companies, and business associates pass HIPAA audits and keep electronic protected health information (ePHI) out of the headlines under HIPAA and the HITECH breach notification rule. The Business Associate Agreement (BAA) used to be the hard part of buying HIPAA-compliant cloud storage; now, almost every major vendor will sign one.
The hard part is knowing which tier the BAA attaches to, which features sit outside its scope, and which services quietly stopped qualifying this year.
This article ranks 11 services we see most often in healthcare cybersecurity engagements and tells you where the traps are. If you are trying to pick the best HIPAA-compliant cloud storage for a 1-20-person practice in 2026, this is the short list we keep coming back to. You get a comparison table up front, per-service verdicts, a dedicated section on cloud backup, which is not the same as cloud storage, and answers to the questions buyers actually ask.
The Best HIPAA-Compliant Cloud Storage Services, Compared at a Glance
BAA statuses verified against each vendor’s own HIPAA or compliance page in April 2026. We rank by a mix of BAA scope, tier accessibility, security defaults, and real-world ease of configuration for a typical 1-20 person practice: primary-workspace storage first, dedicated backup second, infrastructure platforms where they fit.
| # | Service | BAA available | Minimum plan for BAA | Price indicator | Adelia verdict |
|---|---|---|---|---|---|
| 1 | Google Workspace / Drive | Yes | Business Starter (any paid Workspace) | $ | Use |
| 2 | Microsoft 365 / OneDrive | Yes, via Microsoft DPA | Any paid business plan (we recommend Premium) | $ | Use |
| 3 | Box | Yes | Enterprise (Business and Business Plus do not qualify) | $$$ | Use if you need Box |
| 4 | Dropbox Business | Yes | Standard or above (no free, no personal) | $$ | Consider |
| 5 | Tresorit | Yes | Business Standard or above | $$ | Consider for zero-knowledge |
| 6 | AWS (S3, Glacier, Backup, EFS, FSx) | Yes | Any AWS account with BAA in place; eligible services only | Variable | Use for infrastructure workloads |
| 7 | Acronis Cyber Protect | Yes | Cyber Protect Cloud with Enhanced Security mode | $$ | Consider for backup |
| 8 | Carbonite Safe Pro | Yes | Carbonite Safe Pro or Safe Server Backup | $$ | Use for SMB backup |
| 9 | CrashPlan | Yes | CrashPlan Enterprise (Compliance Settings not available on Small Business) | $$ | Consider for backup |
| 10 | Backblaze | Yes, on request | Business Computer Backup or B2 | $ | Consider |
| 11 | iDrive for Business | Yes, on request | iDrive Business, Team, or Enterprise with Private Key encryption | $ | Consider |
| — | Apple iCloud | No | N/A | N/A | Do not use for PHI |
| — | SpiderOak One | Yes, on request | SpiderOak One | $ | Reconsider, see below |
Price indicators are rough: $ under $15 per user per month for the lowest qualifying tier, $$ between $15 and $40, $$$ above. Backup, object storage, and infrastructure pricing may not map neatly to per-user pricing. Verify pricing with the vendor before quoting.
SpiderOak One still operates and signs a BAA on request, but does not offer 2FA for new accounts as of early 2026. Once the proposed Security Rule modernization finalizes MFA as required, that becomes a structural gap, not a configuration one. Tresorit fills the zero-knowledge slot in our ranked list.
The Google-Search Litmus Test We Use on Every Vendor Call
Before we spend time emailing a vendor about a BAA, we run this Google search:
business associate agreement site:vendor.com
If the phrase does not appear on the vendor’s own website, they usually will not sign one. We use this on early client calls to avoid wasting time on vendors that are unlikely to qualify. It is not a guarantee, but as a five-second filter, it is one of the quickest first-pass screens we use.
When a vendor does have a BAA page, read the fine print on which products are covered and which tiers qualify. We have seen practices sign the BAA, feel relieved, and discover six months later that the app they live in all day is outside the BAA’s scope.
What Changed in 2026 and Why It Matters
Two things changed the HIPAA cloud-storage conversation this year.
First, HHS Office for Civil Rights published a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule in December 2024. If finalized as proposed, the rule would remove the ‘addressable versus required’ distinction and would make controls such as encryption, MFA, network segmentation, written asset inventories, and certain 24-hour business associate notices required.
OCR’s most recent regulatory agenda still targets a final rule around May 2026, with a 60-day effective date and a 180-day compliance period after that (240 days total from publication). Healthcare industry groups have pushed back hard on the proposal, and federal agencies routinely slip these dates, so the final rule could change in scope or timing before publication. Do not treat any proposed provision as settled law until the final rule is published.
Second, vendors shifted. Google’s HIPAA Included Functionality list was updated on 2025-09-30 and covers 22 services, with Gemini in Chrome excluded. Microsoft is retiring the standalone OneDrive for Business Plan 1, with new sales ending on 2026-05-31. Dropbox added Dash AI search and excluded it from the BAA. Box keeps the BAA on Enterprise only. AWS keeps adding HIPAA-eligible services, but newer features like S3 Tables often arrive outside the list.
In our experience, the most common mistake on a HIPAA discovery call is a practice that signed a BAA with the right vendor on the wrong plan. The second most common is assuming the BAA covers every feature. The per-service blocks below are built around those two mistakes.
1. Google Workspace and Google Drive Are Our Default for Small Practices
Google Workspace is where Adelia Risk starts most small-practice conversations. The BAA is free on every paid tier, a super-admin accepts it electronically in Admin Console, and Google’s HIPAA Included Functionality list, last updated 2025-09-30, covers 22 services, including Gmail, Drive, Meet, Chat, Calendar, Vault, and the Gemini app inside Workspace.
The main gotchas are scope-related. Personal @gmail.com Accounts are not in scope under Google’s BAA. Gemini in Chrome is explicitly excluded, even though the Gemini app inside Workspace is in. YouTube, Blogger, and Google Photos are not listed as covered services, and Marketplace apps need their own BAA with the app vendor. We cover the configuration side in our Google Drive HIPAA deep-dive. For a full tenant review, our Google Workspace security audit produces a prioritized remediation plan.
Adelia’s verdict: Use. The lowest-friction starting point for most 1-20-person practices.
2. Microsoft 365 and OneDrive for Business Are Our Default Starting Point for Microsoft-Native Shops
OneDrive for Business, SharePoint Online, and Teams are all in scope under the Microsoft Products and Services Data Protection Addendum, which incorporates the BAA automatically. No separate document to sign.
Every paid Microsoft 365 business plan (Business Basic, Standard, Premium, Enterprise E3/E5, Microsoft 365 E3/E5, F3) is BAA-eligible; the BAA is automatic through the DPA. In our experience, Business Basic can be BAA-eligible, but it leaves more configuration work on your plate because it does not include several controls most PHI-handling practices end up needing, such as Intune, Defender for Office 365, and DLP capabilities. Business Premium picks up the controls you need anyway and is the tier we recommend for PHI-handling practices.
Standalone OneDrive for Business plans are being retired (new sales end 2026-05-31); clients on Plan 1 need a migration plan within 18 months. One real constraint: Microsoft’s own guidance states that patient or member contact lists inside Microsoft services should not contain PHI. An Entra user attribute populated with a diagnosis is a BAA violation even if the file system is clean.
Our Microsoft 365 security audit covers HIPAA-relevant settings across Exchange, OneDrive, SharePoint, and Teams. For Azure workloads, see our Azure HIPAA quick-reference.
Adelia’s verdict: Use. The lowest-friction HIPAA path for any Microsoft-native organization.
3. Box Is a Strong Tool With a Real Tier Trap
Box is genuinely good for HIPAA. The Box HIPAA and HITECH FAQ is specific, Box Legal Operations emails the BAA addendum in 3-5 business days after the request form is completed, and the platform includes governance features such as retention, classification, and audit trails for regulated workflows.
The trap is the tier. The BAA requires Box Enterprise, Enterprise Plus, or Enterprise Advanced. Business and Business Plus do not qualify, so confirm the tier in writing before PHI goes into the Box. This is the single most common Box-related mistake we see on discovery calls. Box also leaves meaningful configuration responsibility with the customer: encryption settings, audit-log retention, access-control policies, and third-party integration BAAs still need to be managed.
Adelia’s verdict: Use it if you need Box. Strong HIPAA choice if you are already committed to Box for a specific workflow. Otherwise, Google Workspace or Microsoft 365 delivers HIPAA storage at a lower plan floor.
4. Dropbox Business Works With Two Important Footnotes
Dropbox Business signs a BAA for Standard, Advanced, Business, Business Plus, Enterprise, Education, and Dropbox Sign. US-based team admins can e-sign in the Admin Console. Per Dropbox’s HIPAA terms, free and personal plans are not eligible.
Two footnotes. First, Dropbox Dash, the AI search tool launched in 2024, is not HIPAA-supported; using it with PHI content can move that workflow outside the BAA. Second, once HIPAA mode is on, Dropbox Sign disables CC on signature requests, emailed signed PDFs, and post-send document edits. That is a reasonable tradeoff for PHI, but users should know about it before rollout. Third-party Marketplace apps are outside the BAA unless you have separate BAAs with those vendors.
Adelia’s verdict: Consider. Good enough for teams already on Dropbox. Not usually a reason to leave Google or Microsoft.
5. Tresorit Is the Zero-Knowledge Choice for Pressure-Tested Threat Models
Tresorit signs a BAA on Business Standard and above. The differentiator is true zero-knowledge, end-to-end encryption: files are encrypted client-side, keys never leave the user’s device, and Tresorit cannot decrypt your data. For mental-health practices, reproductive-health practices, and covered entities with a credible concern about legal access requests, Tresorit can be the cleaner fit for certain file categories.
The tradeoffs are real. Zero-knowledge limits collaboration and admin-assisted recovery; if the only recovery key sits with a former admin, recovery may not be possible. Document key recovery on day one. Tresorit is ISO 27001:2022 certified and Swiss-based, which some buyers value for EU privacy posture and others review as a cross-border consideration.
Adelia’s verdict: Consider for zero-knowledge. A strong second system for the file categories that warrant it, but not usually a replacement for Google or Microsoft as a primary workspace.
6. AWS Works for Infrastructure Teams, Not Office Managers
AWS signs a BAA on any account the customer designates as HIPAA, via AWS Artifact. The HIPAA Eligible Services Reference covers 120-plus services, including S3, S3 Glacier, Storage Gateway, AWS Backup, EFS, and FSx.
Shared responsibility is where teams usually get tripped up. AWS gives you the primitives; you are responsible for enabling encryption, configuring IAM, enabling CloudTrail, locking down public access, and keeping PHI out of non-eligible services. S3 Tables was not on the eligible-services list at the time of this research; enabling a newer, non-eligible feature around PHI could move that workflow outside BAA scope.
If no one on your team is comfortable with IAM and CloudTrail, AWS is usually not the right HIPAA primary-storage tool. It is a better fit for MSPs, health-tech SaaS companies, and infrastructure-heavy business associates. Our piece on seven ways attackers get into AWS covers the attack surface.
Adelia’s verdict: Use for infrastructure workloads. Not for office file storage unless you have a dedicated cloud engineer.
7. Acronis Cyber Protect Integrates Backup With HIPAA-Relevant Controls
Acronis Cyber Protect Cloud can support HIPAA workflows when the customer enables Enhanced Security mode, or when the customer uses covered Acronis backup or file services under the right agreement and data-center setup. The BAA is handled alongside the master agreement, instead of a standalone pre-purchase document. HIPAA coverage varies by product and by data center; confirm both before storing PHI. Immutable backup storage and ransomware-resistant recovery are baked in, which is why MSPs pick Acronis when they want one agent doing backup, patching, and endpoint protection.
Adelia’s verdict: Consider for backup. Stronger fit for MSPs managing multiple practices than for a single small practice buying direct. If you are evaluating HIPAA-compliant online backup and already run an Acronis-shop MSP, the integrated posture may be a reason to stay.
8. Carbonite Safe Pro Is the SMB Backup Workhorse
Carbonite Safe Backup Pro and Safe Server Backup both qualify for a BAA; personal Carbonite plans do not. Request the BAA through Carbonite’s HIPAA contact at Carb-CSA@opentext.com. OpenText has operated Carbonite since the 2019 acquisition, so expect OpenText Inc. as the BAA signatory. Data is encrypted on the device before upload, in transit via TLS, and at rest. For a 5-15-person practice that wants a named, supported backup product without a lot of configuration, Carbonite is one of the shorter paths to a working backup setup.
Adelia’s verdict: Use for SMB backup. Pair with Google Workspace or Microsoft 365 as the live store.
9. CrashPlan Is Solid for Enterprise Tenants, Not for Individuals
According to CrashPlan’s published HIPAA help article, eligible business plans can operate under a BAA; personal plans are out of scope. The Compliance Settings feature upgrades an account to archive-key-password mode, which disables admin-initiated web restores: a reasonable posture for HIPAA tenants that can absorb the help-desk workflow change. Per CrashPlan’s own documentation, Compliance Settings is available on CrashPlan Enterprise and is not available on CrashPlan for Small Business. [HUMAN VERIFICATION NEEDED: confirm exact current tier labels and the SOC 2 Type 2 / ISO/IEC 27001 / CSA STAR claims on code42.com/trust before publish, since the support.crashplan.com page blocks automated fetch.]
Adelia’s verdict: Consider for backup. Strong for practices that want versioned endpoint backup and can manage the restore workflow. Not always necessary if your primary storage already provides enough version history for your recovery needs.
10. Backblaze Is Affordable With a Clear Zero-Knowledge Caveat
Backblaze can provide a BAA on request for eligible business customers. B2 is the cleaner fit for the compliance page’s security claims, with SOC 2 Type 2, server-side encryption, and Object Lock immutability available.
Computer Backup supports a user-supplied encryption key for true zero-knowledge, but B2 is not pure zero-knowledge by default. Without user-supplied keys, Backblaze holds them. Object Lock on B2 is the feature we point ransomware-concerned practices at most often; an attacker on the live share cannot delete an immutable backup during the lock window.
Adelia’s verdict: Consider. Strong price-to-feature ratio for infrastructure-grade backup without AWS-scale complexity.
11. iDrive for Business has a Wide Product Line, Business Plans Only
iDrive’s compliance page confirms BAA availability on request for iDrive Business, Team, and Enterprise plans when the customer opts for Private Key encryption; Cloud-to-Cloud backup and Bulk Reseller customers can also request a BAA. Personal plans should not be used for PHI. Security posture: 256-bit AES, SOC 2 Type 2. Product-line breadth is the selling point: endpoint backup, server backup, bare-metal restore, S3-compatible object storage (e2), and cloud compute from one vendor simplifies procurement. Confirm BAA eligibility for 360, BMR, e2, and Compute directly with iDrive sales before purchase.
Adelia’s verdict: Consider. Good fit for practices that want one-vendor consolidation across live storage and backup.
The Clear No: Apple iCloud Is Not for PHI
Apple iCloud is the cleanest one on this list. Apple’s iCloud Terms & Conditions prohibit covered entities and business associates from using any iCloud component, function, or facility to create, receive, maintain, or transmit PHI. Apple does not sign a BAA for iCloud, and Managed Apple IDs, Apple Business Manager, and MDM do not change that for PHI storage.
For any practice issuing iPhones, iPads, or Macs to clinical users, the MDM baseline should disable iCloud Drive, iCloud Photos, and iCloud device backup on managed devices, and block personal Apple ID sign-in on work devices. If a patient sends a photo to a clinician’s iPhone, iCloud Photo Library can sync it to Apple’s cloud outside a BAA unless the device is configured to prevent that.
HIPAA-Compliant Cloud Backup Is Not the Same as HIPAA-Compliant Cloud Storage
People often mix up these two searches: HIPAA-compliant cloud backup and HIPAA cloud backup services. They are nearby but not the same.
- Cloud storage is your live, collaboration-oriented file share (Drive, OneDrive, Dropbox, Box, Tresorit, Sync.com). People edit files in place, so mistakes, oversharing, sync issues, and ransomware usually show up here first.
- Cloud backup is a point-in-time, versioned, disaster-recovery-oriented capture (Carbonite, CrashPlan, Acronis, Backblaze Computer Backup, iDrive). The job is to keep a recoverable copy separate from day-to-day file activity.
- Object-storage backends (AWS S3 and Glacier, Backblaze B2) can be either, depending on tooling.
HIPAA’s Contingency Plan standard (45 CFR 164.308(a)(7)) requires a Data Backup Plan and a Disaster Recovery Plan. The Technical Safeguards at 45 CFR 164.312 cover the access-control and transmission-security controls that make those backups usable. In practice, most small healthcare teams need two functions: a storage tool where people work, and a backup tool that captures versioned, ideally immutable copies.
Separated or immutable backups, such as Object Lock on B2, Carbonite’s isolated repositories, or Acronis immutable storage, are what give you a realistic recovery path after a ransomware event. Our ransomware playbook goes deeper on recovery. If you are buying only one thing today, start with the storage layer; then put a backup plan on the calendar for this quarter.
The BAA Mistakes We See Most on HIPAA Discovery Calls
- Wrong tier, right vendor. Box Business Plus instead of Enterprise. Microsoft 365 Business Basic when the practice actually needs Business Premium controls. The BAA follows the plan, instead of the vendor.
- Signed and forgotten. In our experience, cloud-storage BAA failures cluster around two patterns: no BAA at all, and signed BAA plus misconfigured sharing. The BAA gives you the legal framework without the controls that make it work.
- Assuming platform-wide coverage. Gemini in Chrome is outside Google’s HIPAA scope, even though Gemini in Workspace is in. Dropbox Dash is outside Dropbox’s HIPAA-supported services. S3 Tables were not on AWS’s eligible services list at the time of this research.
- Ignoring third-party integrations. Marketplace apps, Zapier workflows, and add-ons are separate BA relationships.
- Personal accounts as workarounds. A doctor who saves the patient’s PDF to their
@gmail.comemail is one of the most common PHI leak paths we see. Policy and training close most of this gap; configuration alone will not. - Skipping MFA because it is still “addressable.” The proposed HIPAA Security Rule would make MFA required if finalized as proposed. Configure it now rather than waiting for the final rule.
Frequently Asked Questions
Is Google Drive HIPAA compliant?
Yes, when the organization is on a paid Google Workspace plan, a super-admin has accepted the HIPAA Business Associate Amendment in the Admin Console, and sharing, MFA, DLP, and retention settings are configured. Personal @gmail.com accounts are not covered. Source: Google HIPAA Included Functionality.
Is Dropbox HIPAA compliant?
Dropbox Business, Business Plus, Standard, Advanced, Enterprise, Education, and Dropbox Sign can support HIPAA workflows when a BAA is in place. Free and personal Dropbox accounts are not eligible. Dropbox Dash is specifically excluded. Source: Dropbox HIPAA/HITECH Overview.
Is OneDrive HIPAA compliant, and does Microsoft 365 Business Basic qualify?
OneDrive for Business is generally BAA-eligible through paid Microsoft 365 business plans, and Microsoft’s BAA is incorporated through the DPA. Business Basic may be BAA-eligible, but we recommend Business Premium for PHI-handling organizations because it includes more of the controls they usually need, including Intune, Defender, and DLP capabilities. Standalone OneDrive Plan 1 is being retired (new sales end 2026-05-31). Source: Microsoft HIPAA/HITECH.
Is AWS HIPAA compliant?
Yes, for the HIPAA-eligible subset (approximately 120 services, including S3, S3 Glacier, Storage Gateway, AWS Backup, EFS, and FSx). Customer signs in to AWS Artifact and is responsible for encryption, IAM, CloudTrail, and avoiding non-eligible services for PHI. S3 Tables is not on the eligible list as of this writing. Source: AWS HIPAA Eligible Services Reference.
Is Box HIPAA compliant, and is it worth the price for a small practice?
Box signs a BAA only on Enterprise, Enterprise Plus, or Enterprise Advanced. Business and Business Plus do not qualify. For a small practice on Google Workspace or Microsoft 365, the marginal HIPAA benefit of Box is rarely worth the premium unless you specifically need Box’s governance or integration features. Source: Box HIPAA and HITECH FAQ.
Is iCloud HIPAA compliant for storing patient records?
No. Apple’s iCloud Terms & Conditions prohibit covered entities and business associates from using iCloud to create, receive, maintain, or transmit PHI. For clinical devices, MDM should disable iCloud Drive, iCloud Photos, and iCloud device backup, and block personal Apple ID sign-in. Source: Apple iCloud Terms & Conditions and Apple device-management restrictions.
Do I need a BAA for cloud storage?
Yes, if the vendor creates, receives, maintains, or transmits PHI on your behalf. The HIPAA Conduit Exception does not apply to cloud-storage providers. Without a signed BAA before PHI transfer, the covered entity has a Privacy Rule problem under 45 CFR 164.502(e). Source: HHS guidance on HIPAA and cloud computing.
HIPAA and cloud storage: What makes a cloud service actually compliant?
Four elements usually matter: a signed BAA; technical safeguards such as access controls, audit controls, integrity controls, authentication, and transmission security; administrative safeguards, including risk analysis, workforce training, incident response, and sanction policies; and physical safeguards at the data center. For help locating where PHI lives in your environment, see our piece on where to find PHI in your business. Source: HHS Security Rule guidance.
Does the free tier of Google Drive, Dropbox, or OneDrive count?
No. Every BAA-signing vendor ties the BAA to paid business plans. Free Google, free Dropbox, free OneDrive, and iCloud are all ineligible. There is no free HIPAA-compliant cloud storage in 2026.
What happens if our cloud storage vendor refuses to sign a BAA?
You cannot use that vendor for PHI. Use the Google-search litmus test above to screen before you even email. Common no-go options include Apple iCloud, personal-tier Google Drive, free Dropbox, and most consumer photo services. For a US practice in 2026, the safer shortlist is vendors whose own BAA pages clearly list the products, tiers, and features in scope.
The Best HIPAA-Compliant Cloud Storage for a Small Medical Practice, What Adelia Risk Actually Recommends
For a 1-20-person practice already on Google or Microsoft email, stay in the ecosystem: Google Workspace Business Standard or Microsoft 365 Business Premium. Both can sit under a BAA when the right agreement is in place. Both are typically under $25 per user per month at list price, and the practical reason to choose these tiers is the control set: MFA, DLP, device/access controls, and retention tools you are likely to need anyway. Layer a dedicated backup (Carbonite Safe Pro, Backblaze Computer Backup, or iDrive) for ransomware resilience.
For practices with specific zero-knowledge requirements, such as mental health, reproductive health, or legal-access concerns, Tresorit can fit better for that category of file, with Google or Microsoft still running email and calendar. For business associates (billing companies, MSPs, health-tech SaaS) already on AWS, the real question is discipline around HIPAA-eligible services and shared responsibility.
When It Is Worth Getting a Second Set of Eyes
HIPAA cloud storage looks simple on the slide: sign the BAA, enable MFA, turn on audit logs. It gets complicated at the tenant-configuration layer. If you want a second set of eyes before your next audit, our HIPAA Google Workspace compliance audit and Microsoft 365 security audit walk through every HIPAA-relevant setting and produce a prioritized remediation plan. Our consolidated Google Workspace HIPAA guide covers the full 96-point checklist. If your stack is something else — Microsoft 365, Box, AWS, or a multi-vendor mix — tell us about your environment, and we’ll point you at the right starting place.
Preservation overrides
No required preservation-approved items were dropped. M1 resolved 2026-05-01: Tresorit holds slot 5; SpiderOak handled below the table with the 2FA caveat. M2 resolved 2026-05-01: iCloud kept as the explicit refuser (replacing SugarSync from the original article). M3 resolved 2026-05-01: closing CTA uses a two-link approach — Google Workspace and Microsoft 365 audit links retained in-paragraph, final CTA points to /contact/ to capture the non-Google/Microsoft majority of readers.
