Cloud storage can be HIPAA compliant — but not all cloud storage is. Dropbox, Google Drive, iCloud, and most consumer cloud storage platforms are not HIPAA compliant on their standard plans. To store protected health information (PHI) in the cloud, you need a provider that signs a Business Associate Agreement (BAA), encrypts data at rest and in transit, implements access controls, and maintains audit logging. Failure to implement required safeguards — including a signed BAA where applicable — may result in noncompliance with the HIPAA Rules under 45 CFR Part 164, with significant civil and criminal penalties.

Key Takeaways

  • Cloud storage can be HIPAA compliant — but configuration and plan selection matter as much as the platform
  • A signed Business Associate Agreement (BAA) is essential — without it, no cloud storage qualifies for PHI
  • Consumer and free-tier accounts (Gmail Drive, personal Dropbox, iCloud) cannot be made HIPAA compliant
  • Encryption, audit logging, and access controls are required safeguards under the HIPAA Security Rule
  • Each major provider operates under a Shared Responsibility Model — they secure the infrastructure, you secure the configuration

Cloud Storage vs HIPAA Compliant Cloud Storage

These are not the same thing — and the gap between them is where most healthcare data breaches begin.

🔄 Rotate your phone for a better view of the comparison table.
Platform BAA Available? Which Plan? Verdict
HIPAA Vault Cloud Storage Yes All plans Fully managed, U.S.-based
AWS S3 Yes All paid plans (check eligible services list) BAA required + proper config
Google Drive / Workspace Yes Google Workspace Business Plus+ Use paid Workspace + BAA
Microsoft OneDrive / SharePoint Yes Microsoft 365 Business/Enterprise Use paid plan + BAA
Dropbox Business Yes Business Advanced or higher Use qualifying plan + BAA
Box for Healthcare Yes Business Plus or Enterprise Purpose-built controls available
Free Google Drive No N/A Do not use for PHI
Free Dropbox No N/A Do not use for PHI
iCloud No No plan available Do not use for PHI
Personal OneDrive No N/A Do not use for PHI
Consumer file sharing (WeTransfer, etc.) No No plan available Do not use for PHI

Need HIPAA compliant cloud storage or hosting for your healthcare organization? HIPAA Vault provides fully managed HIPAA-compliant cloud environments with a signed BAA, U.S.-based private servers, AES-256 encryption, and 24/7 security monitoring.

Schedule a free consultation →


Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

Why Cloud Storage Compliance Matters More Than Most Organizations Realize

As Gil Vidals, CTO and co-founder of HIPAA Vault, explains — the hosting environment is where everything is at stake:

“The hosting is important because everything’s out on the cloud these days and you have to be very mindful of where the data is and how it’s protected. That includes HIPAA compliant services like data transmission, storage, and access management.”

The challenge is that cloud environments expand your security perimeter in ways that on-premise systems do not. When you move to the cloud, your data may pass through third-party services, multiple servers, and partner infrastructure — each of which introduces potential compliance exposure.

“In the cloud, your security perimeter might be larger or just different. You need to ensure that your cloud providers are also HIPAA compliant. This could involve careful vendor selection, detailed service level agreements, and ongoing monitoring.” — Gil Vidals


What Makes Cloud Storage HIPAA Compliant?

A HIPAA compliant cloud storage solution must provide:

1. A Signed Business Associate Agreement (BAA) The legal foundation. If your cloud storage provider won’t sign a BAA, you cannot use them for PHI — regardless of how secure their platform may be. A BAA defines how the vendor handles your PHI, what security measures they maintain, and what happens in the event of a breach. The HHS guidance on Business Associates provides the full regulatory framework.

2. Encryption at Rest PHI stored in the cloud must be encrypted when not actively being accessed. AES-256 is widely regarded as an industry best practice for data at rest and aligns with NIST SP 800-111 guidance for protecting sensitive data. TLS 1.2 or higher is the standard for data in transit.

3. Access Controls Role-based access management determines who can see, edit, or share PHI. The HIPAA Security Rule (45 CFR § 164.312) requires that only authorized users have access to patient data — and that this access is enforced, not just assumed. NIST SP 800-66 Rev. 2 provides implementation guidance for these controls.

4. Audit Logging You need a complete record of who accessed PHI, when, from where, and what they did. If your cloud storage provider cannot produce this report on demand, it does not meet HIPAA Security Rule requirements.

5. Backup and Disaster Recovery As Gil Vidals notes:

“Most hosting providers are going to give you backup — so that’s not anything new. What would be different with a HIPAA compliant provider is that the backups should cover enough time. It can’t just be one or two days of backups. You have to be able to go further back. That’s important in order to keep the integrity of the system.”

6. Physical Security Data centers housing PHI must have physical security controls — access cards, biometric scanners, security cameras, and controlled entry. These are not optional — they are part of HIPAA’s physical safeguard requirements.

7. Geographic Data Residency HIPAA does not explicitly require PHI to be stored on U.S.-based servers. However, many healthcare organizations prefer domestic hosting because of contractual obligations, data residency policies, and operational considerations. Always review your payer contracts and state regulations for specific requirements.


Managed Enterprise Hosting on Google Cloud Platform

Leverage the power of Google Cloud with guaranteed compliance. We manage Kubernetes, APIs, and databases for high-scale healthcare apps.

Learn More

How to Approach HIPAA Cloud Compliance

The challenge with cloud environments is that they can feel overwhelming — especially for organizations migrating from on-premise systems. Gil Vidals’s practical advice:

“A good place to start is a risk assessment. You need to understand how the data is flowing, especially the protected health information — find out where it flows to and through your platform, and evaluate the specific risks in your environment. From there, you can implement controls that are proportionate to the risks.”

A real-world example from Gil:

“Let’s say a hospital has decided to move their EHR to a cloud-based solution. The first thing they want to do is a complete assessment of the risk — what new risks may be introduced in the cloud. They’re going to want to evaluate potential data breaches or service interruptions. Then they might implement controls like end-to-end encryption, strict access controls to make sure only the staff that should be accessing the patient data is, and a robust business continuity plan — so if a server goes offline, they can fail over and maintain business continuity.”


Is Dropbox HIPAA Compliant?

Dropbox can be HIPAA compliant on its Business Advanced plan or higher, where a BAA can be executed. Dropbox’s standard Business and Plus plans do not include a BAA and should not be used for PHI.

Even with a BAA, Dropbox requires careful configuration — including disabling sharing links, restricting external collaboration, and ensuring that PHI is not accessible to unauthorized users through shared folders.

The free version of Dropbox is not HIPAA compliant under any circumstances.


Is Google Drive HIPAA Compliant?

Google Drive can be HIPAA compliant through Google Workspace Business Plus or higher with a signed BAA executed through the Google Workspace Admin console. Google Drive through a personal @gmail.com account is not HIPAA compliant.

Google explicitly lists Google Drive among its HIPAA-eligible services for paid Workspace subscribers. Organizations must also configure sharing settings and data retention policies appropriately.


Is OneDrive / SharePoint HIPAA Compliant?

Microsoft OneDrive and SharePoint can support HIPAA compliance — but your plan selection determines whether you can practically and legally deploy them for PHI. While Microsoft automatically includes its HIPAA BAA across all commercial plans within the Online Services Data Protection Addendum (DPA), basic plans fall short of what compliance actually requires.

The plan gap most organizations miss:

Microsoft 365 Business Basic and Business Standard include the BAA — but they lack the technical safeguards needed to safely manage ePHI. Specifically, these plans do not include native Data Loss Prevention (DLP) policies for identifying or blocking PHI, and their audit log retention is often capped at 90 days — which conflicts with HIPAA’s documentation requirements if logs are not exported and stored separately.

The recommended path: Microsoft 365 Business Premium or Enterprise (E3/E5)

These plans unlock:

  • Microsoft Purview DLP — prevents staff from accidentally sharing PHI via public links or unauthorized channels
  • Extended audit log retention — supports HIPAA’s documentation requirements
  • Microsoft Entra ID — enforces strict MFA and location-based Conditional Access policies

Shared Responsibility Model

Microsoft protects the data center infrastructure — physical security, volume encryption, and platform availability. You are responsible for user-level access controls, email flow encryption configuration, and ensuring PHI does not flow through unconfigured channels.

Personal OneDrive, Family subscriptions, and free Outlook.com accounts have no BAA coverage and should never be used for PHI.

For small practices that need HIPAA-compliant cloud storage without the complexity of managing Microsoft’s enterprise configuration, a fully managed solution like HIPAA Vault provides all required safeguards — encryption, audit logging, access controls, and a signed BAA — without requiring a specialized Microsoft IT administrator.


Is AWS HIPAA Compliant?

Amazon Web Services (AWS) can be HIPAA compliant — AWS signs a BAA and designates a list of HIPAA-eligible services. Not all AWS services are covered under the BAA, so organizations must verify that the specific services they use are on AWS’s eligible services list before storing PHI.

Common HIPAA-eligible AWS services include S3, EC2, RDS, and Lambda — but this list changes and should be verified directly with AWS before implementation.


The Three Types of HIPAA Cloud Controls

Gil Vidals breaks cloud security controls into three categories that every healthcare organization needs to understand:

“The technical controls would include things like encryption of the data and access management — that is, who has access to the data. Then there’s administrative controls — things like policies and procedures, training logs to make sure you keep track of who’s being trained. And then finally, the physical controls — those are the ones that probably most people think about because they’re easy to visualize, like a camera pointing to the server, biometric scanner, and access cards to access the data center floor. The challenge is to make sure all of these are implemented and that they stay in force, that there’s no lapse in these controls.”


Not sure if your cloud environment is fully HIPAA compliant? HIPAA Vault provides managed HIPAA-compliant hosting with a signed BAA, U.S.-based private servers, and 24/7 security monitoring — starting at $549/month.

View hosting plans →  |  Talk to a specialist →


Common Mistakes Healthcare Organizations Make With Cloud Storage

1. Assuming the cloud provider handles compliance automatically Signing up for AWS, Google Workspace, or Microsoft 365 does not automatically make you HIPAA compliant. You must execute a BAA, configure the environment correctly, and maintain ongoing monitoring.

2. Using personal or free-tier accounts for PHI Free Google Drive, personal Dropbox, and iCloud are not HIPAA compliant and cannot be made so. These are the most common sources of inadvertent PHI exposure in small practices.

3. Not vetting third-party app integrations In cloud environments, third-party apps that connect to your storage — analytics tools, collaboration platforms, email integrations — may also handle PHI. Each requires its own BAA and compliance review.

4. Inadequate backup policies Keeping only one or two days of backups is insufficient for HIPAA compliance. A compliant environment requires backups that go back far enough to restore data in the event of a ransomware attack or system failure.

5. No audit log review process Audit logs are only useful if someone reviews them. Many organizations have logging enabled but no process for reviewing or acting on suspicious access patterns.


Frequently Asked Questions


HIPAA Vault provides managed HIPAA-compliant hosting and cloud storage solutions for healthcare organizations on U.S.-based private servers. This content is educational and does not constitute legal advice. Consult a qualified HIPAA compliance attorney for guidance specific to your organization.