“What are my options for HIPAA compliant cloud storage? ”
In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience is undeniable– the ability to access your data from anywhere is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services provide the most secure cloud storage options?
There are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When PHI is out of your hands and stored off-site (as cloud storage is), you need to be absolutely sure that your data is safe.
So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:
We're starting our list with our favorite HIPAA compliant cloud storage option for small practices: Google Drive. It's easy to use, has tons of features and can be used in a HIPAA compliant environment.
Our favorite service, hands down, is Google Drive, which is part of Google's excellent Google Workspace. It's one of the easiest services to use and a great value for the price to achieve the most secure cloud storage option. PCMagazine also loves it, giving Google Drive an excellent rating.
Google will sign a HIPAA Business Associate Agreement (BAA) for Google Workspace clients. It covers Gmail, Google Drive, Google Calendar, and Google Vault. If you set the file sharing up properly in Google Drive, it's a brilliant choice for HIPAA compliant cloud storage.
Microsoft will also sign a BAA for mail, file storage, calendars, and other aspects of Microsoft Online. While they are a bit harder to use than Google Workspace, Microsoft offers some terrific data loss prevention tools that can help to keep you safer.
Microsoft's file sharing service (OneDrive) also got a great rating, 5 stars from PCMagazine.
Google Workspace and Microsoft 365 (reviewed above) can definitely share data securely with other companies. You need to be careful, though, about how you set up the file sharing for compliance to make sure you don't accidentally expose your PHI to the internet.
However, you might not need the other features that come with these services. If you already use another service for email, calendaring, and file editing, then you might want to go with a dedicated file sharing service. Here are some good options.
People often ask "Is Dropbox HIPAA compliant?" You bet it is! The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Fortunately, Dropbox is HIPAA compliant now with their Dropbox Business service. This includes signing a BAA with you to meet all the requirements.
Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a Business Associate Agreement. You can find more detailed information on their compliance on their website.
All of the previous services mentioned can be used for safe, HIPAA compliant cloud storage. However, they require some configuration and oversight.
One of the best protections against ransomware attacks is to have a good, up-to-date backup. It's also one of the best ways to protect your business from interruption if your computers are lost, stolen, or damaged.
SpiderOak offers a great "set it and forget it" cloud backup service. You install their program on your computer, and all of your files are safely and automatically backed up to the cloud.
One of the reasons we love them is due to their "zero knowledge" policy. They encrypt every single possible aspect of their service, which means there is no way their staff could access your data without your involvement. And they're happy to sign a HIPAA BAA.
Carbonite is another popular backup service. They are willing to sign a HIPAA BAA.
Want to save a TON of money and don't mind some technical work? Amazon S3 Glacier is dirt cheap, but requires you to be IT savvy to use it for regular backups. It also covered by the HIPAA BAA that Amazon will sign.
Acronis used to be on our 'not HIPAA compliant' list, but as of June 2020, they will sign a Business Associate Agreement!
CrashPlan features a default active AES-256 encryption and will sign a BAA.
Another former 'not HIPAA compliant' listing was for Backblaze. As of October 2020, they will sign a BAA for their clients.
We are huge fans on Amazon Web Services (AWS). Their security is top notch and they're happy to sign a HIPAA Business Associate Agreement. Check out our article: Secure Cloud Computing: 7 Ways I’d Hack You On AWS".
We also reviewed a number of other popular cloud storage and backup providers to see if they could be considered HIPAA compliant cloud storage.
Also, popular company SugarSync makes no mention of being willing to sign a HIPAA Business Associate agreement on their site.
We've found this is a great litmus test. You can quickly and easily tell how seriously a cloud storage company takes HIPAA compliance with a simple google search.
Just type: "business associate agreement site:vendor.com" into a Google search, like this:
If you get a result like this, then move on to another provider!
Because of its reasonable price, robust features, high level of security, and willingness to sign a HIPAA business associate agreement, we use and recommend Google Drive, which is part of Google Workspace. Google Workspace includes cloud storage, hosted email, and robust online file editors, and is one of the best HIPAA compliant cloud storage services out there. Check out our article about HIPAA compliant Google Drive.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!
Dropbox actually is HIPAA compliant now with their Dropbox for business: https://www.dropbox.com/business including signing a BAA with you: https://www.dropbox.com/en/help/238
It is now mid 2016, and things are always changing (e.g., the 47FUDQ7P6FW6N9 coupon for Google is expired). Can you update us?
You're absolutely right! Thanks for pointing this out. We've updated the page so you can request a coupon code.
S3 is one of 9 Amazon services that are HIPAA compliant.https://aws.amazon.com/compliance/hipaa-compliance/
rsync.net is a cloud storage provider that is HIPAA compliant and is willing to sign BAAs:
I chose them as a vendor because I wanted an offsite backup product that I could use with SFTP clients, like filezilla and WinSCP. I highly recommend their service.
Thanks for the tip! We'll check it out!
Here is a comparison of AWS and Azure with Atlantic.Net Secure Block Storage, which also provides HIPAA Storage but its more expensive: