HIPAA Compliant Cloud Storage – 11 Services Reviewed (Updated)

“What are my options for HIPAA compliant cloud storage? ”

In recent years, cloud storage has risen in both effectiveness and popularity. Its convenience is undeniable– the ability to access your data from anywhere is amazing. But can business associates and medical providers take advantage of these services to store PHI? What exactly does it mean for a cloud storage service to be HIPAA compliant, and which services fit the bill?

HIPAA compliant cloud storageThere are a few things that are essential when it comes to finding a HIPAA compliant cloud storage provider. You need to be choosy, since putting your data “in the cloud” makes it hard to achieve HIPAA-compliant levels of security. When PHI is out of your hands and stored off-site (as cloud storage is), you need to be absolutely sure that your data is safe.

So without further ado, here’s a breakdown of some popular cloud vendor services and whether or not they are HIPAA compliant:

Do you want to share data between employees?

google_drive_hipaa_cloud_storage Google Cloud Storage

Our favorite service, hands down, is Google Drive, which is part of Google’s excellent G Suite.  It’s one of the easiest services to use and a great value for the price.   PCMagazine also loves it, giving Google Drive a five star rating in 2016.

Google will sign a HIPAA Business Associate Agreement (BAA).  It covers Gmail, Google Drive, Google Calendar, and Google Vault.  If you set the file sharing up properly in Google Drive, it’s a great choice for HIPAA compliant cloud storage.  Learn more about HIPAA-compliant G Suite here.

Get our free “17-Step Guide on G Suite and HIPAA Compliance” to learn more about keeping your data safe in the cloud.

Microsoft Office 365

Microsoft will also sign a BAA for mail, file storage, calendars, and other aspects of Microsoft Online. While they are a bit harder to use than G Suite, Microsoft offers some terrific data loss prevention tools that can help to keep you safer.

Microsoft’s file sharing service (OneDrive) also got a great rating, 4.5 stars from PCMagazine in 2016.

Do you want to share data with other companies?

G Suite and Microsoft Office 365 (reviewed above) can definitely share data securely with other companies. You need to be careful, though, about how you set up the sharing to make sure you don’t accidentally expose your PHI to the internet.

However, you might not need the other features that come with these services. If you already use another service for email, calendaring, and file editing, then you might want to go with a dedicated file sharing service. Here are some good options.

dropbox_hipaa_cloud_storage Dropbox

People often ask “Is Dropbox HIPAA compliant?”  You bet it is!  The most popular and arguably the most well-developed of the cloud storage providers, Dropbox is usually the first provider people think when they think “cloud storage.” Fortunately, Dropbox is HIPAA compliant now with their Dropbox Business service (https://www.dropbox.com/business). This includes signing a BAA with you to meet all the requirements.


Box meets all of the security and encryption requirements set forth by HIPAA and is willing to sign a business associate agreement. You can find more detailed information on their compliance on their website.

Do you want to back up your data safely to the cloud?

All of the previous services mentioned can be used for safe, HIPAA compliant backups. However, they require some configuration and oversight.

One of the best protections against ransomware attacks is to have a good, up to date backup. It’s also one of the best ways to protect your business from interruption if your computers are lost, stolen, or damaged.

Here are three great HIPAA-compliant backup services:


SpiderOak offers a great “set it and forget it” backup service. You install their program on your computer, and all of your files are safely and automatically backed up to the cloud.

One of the reasons we love them is due to their “zero knowledge” policy. They encrypt every single possible aspect of their service, which means there is no way their staff could access your data without your involvement. And they’re happy to sign a HIPAA BAA. Sign up for a free trial here.


Carbonite is another popular backup service. They are willing to sign a HIPAA BAA.

aws_glacier_hipaa_cloud_storageAmazon S3 Glacier

Want to save a TON of money and don’t mind some technical work? Amazon S3 Glacier is dirt cheap, but requires you to be IT savvy to use it for regular backups. It also covered by the HIPAA BAA that Amazon will sign.

Do you want to host your applications in the cloud?

aws_hipaa_cloud_storageAmazon Web Services

We are huge fans on Amazon Web Services (AWS). Their security is top notch and they’re happy to sign a HIPAA Business Associate agreement.

We’ve written some articles to help you get started, including “Getting Started with AWS Cloud Security – 14 Step Guide” and “Secure Cloud Computing: 7 Ways I’d Hack You On AWS“.

What about the other guys?

We also reviewed a number of other popular cloud storage and backup providers.

Backup company CrashPlan does offer to sign a HIPAA BAA. However, you need to move up to their Enterprise plan. This might make sense if you’re a large company, but it’s pretty expensive.

Also, popular companies like SugarSync, Acronis, and BackBlaze make no mention of being willing to sign a HIPAA Business Associate agreement on their sites.

We’ve found this is a great litmus test. You can quickly and easily tell how seriously a cloud storage company takes HIPAA compliance with a simple google search.

Just type: “business associate agreement site:vendor.com” into a Google search, like this:


If you get a result like this, then move on to another provider!


What’s the best HIPAA compliant cloud storage service?

Because of its reasonable price, robust features, high level of security, and willingness to sign a HIPAA business associate agreement, we use and recommend Google Drive, which is part of Google’s G Suite.  G Suite includes cloud storage, hosted email, and robust online file editors.

We’ve written an e-guide called “HIPAA Compliance Guide for Gmail / G Suite,” an e-book with 17 tips you can use to make sure you’re setting up G Suite the right way.  You can download it here.

We also offer a paid service that will help you manage both G Suite/Office 365 and your practice in a HIPAA-compliant manner.  Learn more about our HIPAA Compliant G Suite service here.

Already a G Suite customer?  You might be interested in our G Suite HIPAA Risk Assessment to make sure everything is set up properly.

Like this article?  Please share it!

By | 2017-06-23T19:51:40+00:00 March 2nd, 2017|Cloud Cyber Security, HIPAA|4 Comments


  1. Tony Maro November 6, 2015 at 6:40 pm - Reply

    Dropbox actually is HIPAA compliant now with their Dropbox for business: https://www.dropbox.com/business including signing a BAA with you: https://www.dropbox.com/en/help/238

  2. jdh May 15, 2016 at 12:14 pm - Reply

    It is now mid 2016, and things are always changing (e.g., the 47FUDQ7P6FW6N9 coupon for Google is expired). Can you update us?

    • Josh Ablett May 18, 2016 at 10:39 am - Reply

      You’re absolutely right! Thanks for pointing this out. We’ve updated the page so you can request a coupon code.

  3. Christian Romney October 12, 2016 at 6:28 pm - Reply

    S3 is one of 9 Amazon services that are HIPAA compliant.https://aws.amazon.com/compliance/hipaa-compliance/

Leave A Comment