HIPAA Compliant Cloud Storage Made Simple

If your organization creates, receives, or stores electronic protected health information (ePHI), the cloud is almost certainly part of your compliance footprint, whether you planned it that way or not. The hard part is not finding a cloud platform. It is proving that the way you store patient data actually satisfies HIPAA. That gap is where most organizations get stuck, and it is why many healthcare teams hand execution to a partner that runs the platform for them. Unió deploys and governs these exact stacks for healthcare clients, including HIPAA-compliant cloud backup that keeps records recoverable as well as protected. This guide was updated in June 2026 to reflect how covered entities should evaluate cloud storage today, and to correct a few persistent myths that lead people to buy the wrong thing.

What Is HIPAA-Compliant Cloud Storage?

HIPAA-compliant cloud storage is cloud storage that a covered entity or business associate can use to hold ePHI under the terms of HIPAA. It is not a product you buy off a shelf. It is the combination of three things working together. First, a cloud service whose provider will sign a Business Associate Agreement (BAA). Second, the HIPAA Security Rule safeguards (administrative, physical, and technical) implemented on top of that service. Third, a customer who configures and operates the service correctly over time.

Put simply, the platform makes compliance possible. Your configuration and your ongoing operations determine whether you actually achieve it. That distinction matters because it reframes the buying decision. You are not shopping for a "HIPAA product." You are assembling a set of obligations that a capable platform lets you meet.

It also helps to separate three needs that often get lumped together. Storage keeps files accessible day to day. Backup keeps recoverable copies so you can restore after deletion, corruption, or ransomware. File sharing moves ePHI between people and systems. Each carries its own HIPAA exposure, and most healthcare organizations need more than one. We cover the backup side in depth later, because the availability requirement is one of the most overlooked parts of a compliant setup.

Is There Such a Thing as "HIPAA-Certified" Cloud Storage?

No. There is no official "HIPAA certification" and no government "HIPAA approval" for cloud providers. The U.S. Department of Health and Human Services (HHS) does not certify, endorse, or pre-approve any product or vendor. Phrases like "HIPAA certified cloud" and "HIPAA approved cloud storage" are marketing language, not a real regulatory status.

This is one of the most common and most expensive misconceptions in healthcare IT. A vendor cannot hand you a badge that makes your storage compliant. A provider becomes a valid place for ePHI only by signing a BAA with you and supporting the required safeguards. Everything after that is on you to configure and maintain.

Third-party audits do have value, but they are not the same thing. A SOC 2 report or an ISO certification can support your due diligence and tell you the provider takes security seriously. None of those reports is a "HIPAA certification," and none of them transfers your responsibility to the vendor. When you see a provider advertising itself as "HIPAA certified," read it as a signal to look closer, not as proof. Ask whether they will sign a BAA, which services that BAA covers, and what configuration responsibilities remain with you. Compliance is a state you maintain, not a label a vendor applies.

HIPAA Cloud Storage Requirements

At a minimum, HIPAA-compliant cloud storage requires four things: a signed BAA, the Security Rule safeguards applied to how the storage is used, encryption of ePHI in transit and at rest, and ongoing operations such as access control, audit logging, training, and a tested recovery plan. The BAA is the gate, and the safeguards are the substance. Here is how those safeguards break down.

Administrative safeguards

These are the policies, procedures, and people-side controls that govern how ePHI in cloud storage is handled. For cloud storage this means a designated security officer, a documented risk analysis that actually covers the cloud service in use, access-management procedures (who is granted access and how it is revoked when someone leaves), workforce security training, and an incident-response and breach-notification plan. Administrative safeguards are the largest real-world source of compliance gaps, because they depend on consistent human process rather than a feature you toggle on. A risk analysis that ignores your cloud storage is a documentation gap waiting to be found.

Physical safeguards

These are controls over physical access to the systems that store ePHI. In a cloud model, the provider is responsible for the data center: facility access controls, environmental protections, and secure media disposal. That is one reason the BAA and the provider's documentation matter so much. Your physical responsibility shifts to the endpoints that reach the cloud: device controls, screen-lock policies, and secure handling of any local copies or printouts of ePHI. A perfectly secured cloud tenant does not help if a laptop with synced patient files walks out the door unencrypted.

Technical safeguards

These are the technology controls applied to the ePHI itself: access controls and unique user IDs, encryption in transit and at rest, audit controls and logging that record who accessed what and when, integrity controls so data is not improperly altered or destroyed, and authentication (multi-factor authentication is the practical expectation). The cloud platform supplies these capabilities, but they have to be turned on and configured correctly. A capable platform left on weak defaults is still a compliance gap.

Encryption, access control, and audit logging

Encryption deserves a clear word, because the nuance trips people up. Under the Security Rule, encryption is technically an "addressable" implementation specification rather than a flatly "required" one. In plain terms, you can document an equivalent alternative if you genuinely have one. In practice, you almost never do, and encryption is the expected standard regardless. Treat encryption in transit (TLS) and at rest (such as AES-256) as effectively mandatory, understand who manages the keys, and document your decision either way.

Access control and audit logging are where day-to-day compliance is proven. Apply least-privilege access with unique user IDs and MFA, and make sure logs capture who accessed, changed, or shared ePHI, with those logs retained and reviewable. HIPAA also expects documentation to be retained for six years, so retention is not just a storage setting, it is a recordkeeping obligation. If you are still deciding whether a given workload even belongs in the cloud, our guide on choosing between cloud and on-premises is a useful starting point before you commit ePHI to a platform.

Are the Major Cloud Providers HIPAA Compliant?

The honest answer for every major provider is the same: they are "HIPAA eligible," which means they will sign a BAA and supply the controls you need, but they are compliant only when you configure and operate them correctly. "Eligible" is not "compliant by default," and that single distinction explains most of the confusion in this category. Here is how the common platforms shake out.

Is Microsoft 365 HIPAA compliant? It is HIPAA eligible. Microsoft will enter a BAA and provides the controls needed for ePHI across in-scope Microsoft 365 and Azure services. The platform is compliant only when the BAA is in place and you correctly enable encryption, access controls, MFA, audit logging, and data-handling policies. It is never automatically compliant out of the box.

Is Google Workspace or Google Drive HIPAA compliant? Google Workspace is HIPAA eligible for covered services once you accept Google's BAA and keep ePHI inside those services with proper configuration. A free or personal Google Drive account is not covered, because there is no BAA and the necessary administrative controls are missing. The paid business and enterprise tiers, configured correctly, are what can be made compliant.

Is AWS HIPAA compliant? AWS is HIPAA eligible. It will sign a BAA and designates which services are eligible for ePHI workloads. Under the shared responsibility model, AWS secures the infrastructure while you remain responsible for architecting, encrypting, access-controlling, and monitoring the workload. Using a non-eligible service, or misconfiguring an eligible one such as an open storage bucket, breaks compliance.

Is Dropbox HIPAA compliant? Dropbox Business and Enterprise can be HIPAA eligible with a signed BAA and proper setup. A personal or free Dropbox account is not. The lesson across all of these is that the product name is not what matters. The plan tier, the signed BAA, and the configuration are. This is exactly the kind of risk a thorough cloud security review is meant to catch before patient data ever lands in the wrong tier.

HIPAA-Compliant Cloud Backup and Disaster Recovery

HIPAA-compliant cloud backup is part of the requirement, not an optional add-on. The Security Rule's technical and administrative safeguards include availability and contingency planning. Covered entities must protect ePHI not only from unauthorized access but also from loss and destruction. That means a data backup plan, a disaster recovery plan, and an emergency mode operation plan are expected, and the ability to create exact, retrievable copies of ePHI is part of the standard.

In plain terms, ransomware, accidental deletion, hardware failure, or a regional outage that makes patient records unavailable is a HIPAA concern, not just an IT inconvenience. Storage that is locked down but unrecoverable still fails the availability requirement. Good backups answer for immutability so attackers cannot quietly alter or delete them, versioning so you can roll back to a clean point in time, and tested restores so you know recovery actually works.

Backup is also a covered activity in its own right. If a backup vendor stores your ePHI, that vendor is a business associate and needs its own BAA, and the backups must carry the same safeguards as the primary data: encryption, access control, audit logging, and verified restores. This is why HIPAA-compliant cloud backup and a broader business continuity plan belong in the same conversation as primary storage. The most common failure point is not a missing backup. It is an untested one. A backup you have never restored is an assumption, not a recovery plan.

How to Choose a HIPAA-Compliant Cloud Provider

Choosing well is mostly about asking the right questions before you sign and configuring carefully after. Use this checklist as your evaluation and onboarding baseline.

• Sign the BAA first. Get a signed Business Associate Agreement in place before any ePHI enters the service, and confirm exactly which services and plan tiers the BAA covers.
• Use the right plan tier. Choose the business or enterprise edition that is HIPAA eligible. Never store ePHI in consumer or free tiers.
• Encrypt in transit and at rest. Verify encryption is enabled end to end, and understand who manages the keys.
• Enforce access controls and MFA. Apply least-privilege access, unique user IDs, and multi-factor authentication, with a clear process to revoke access when staff leave.
• Turn on audit logging. Ensure the service records who accessed, changed, or shared ePHI, and that logs are retained and reviewable.
• Control sharing and external access. Restrict public links, external sharing, and personal-device sync that could move ePHI outside protected boundaries.
• Complete and document a risk analysis. Assess how the cloud storage is used and remediate gaps. The documented risk analysis is itself a HIPAA expectation. Our IT infrastructure assessment checklist is a practical way to scope this.
• Train the workforce. Make sure everyone who touches ePHI understands the policies and handling rules. Most breaches involve human error, not exotic attacks.
• Plan for backup and recovery. Maintain HIPAA-compliant backups, define recovery objectives, and test restores so availability is real, not assumed.
• Define breach response. Have documented incident-response and breach-notification procedures ready before you need them.
• Review periodically. Re-check configurations, access lists, vendor BAAs, and logs on a recurring schedule, because compliance is an ongoing state, not a one-time setup.

Configuration is where compliance is won or lost, and it is also where most organizations decide to bring in help. A managed IT partner that runs these platforms daily can stand up the controls, monitor them, and keep them working after go-live. Unió helps healthcare clients deploy and govern compliant cloud through managed cloud services, always from the operator's seat, and never by claiming Unió itself is "HIPAA certified," because no such certification exists. If you are moving existing patient data into the cloud, our cloud migration strategy roadmap walks through sequencing the move without leaving ePHI exposed in transit.

Common HIPAA Cloud Mistakes to Avoid

Most enforcement actions trace back to a short list of avoidable errors. Watch for these.

• Storing ePHI without a signed BAA. Putting patient data into a service before the BAA is executed is a violation on its own, even if nothing is ever breached.
• Using a free or personal account. Consumer-tier Dropbox, personal Gmail, and personal Google Drive lack a BAA and the required administrative controls. They are not compliant, full stop.
• Assuming the provider equals compliance. "HIPAA eligible" is not "compliant." The provider secures the infrastructure; you remain responsible for configuration, access, and use.
• Skipping workforce training. Human error is the leading cause of breaches. A staff member who shares a file too broadly can undo strong technical controls.
• Weak access controls. Shared logins, no MFA, and stale accounts for departed employees are recurring findings in breach investigations.
• Never reviewing audit logs. Logging that no one reads provides no protection. Logs need to be retained and actually monitored.
• No tested backups. An untested backup is a guess. Availability is a HIPAA requirement, and recovery has to be proven.

What Happens If You Get It Wrong

HIPAA is enforced by the HHS Office for Civil Rights (OCR). Civil monetary penalties are structured in tiers based on the level of culpability, ranging from violations the organization could not reasonably have known about, up to willful neglect that was not corrected, which is the most severe tier. Penalties scale with that culpability and with the number of violations, and the per-violation amounts and annual caps are adjusted each year for inflation, so they are not fixed figures. For serious or repeated violations, penalties can reach into the millions of dollars per year, with willful neglect carrying the highest exposure.

The financial figure is only part of the cost. OCR can require corrective action plans and ongoing monitoring, and the most serious cases can involve referral for criminal liability. OCR also maintains a public breach reporting portal, commonly called the "Wall of Shame," that lists breaches affecting 500 or more individuals, so reputational damage travels alongside the fines. Because the dollar amounts change with annual inflation adjustments, treat any specific figure you read as time-sensitive, and verify it against current HHS guidance rather than a number quoted in an article.

Frequently Asked Questions

Is there a HIPAA certification for cloud storage?

No. HHS does not certify, approve, or endorse any cloud provider or product. "HIPAA certified" and "HIPAA approved" are marketing phrases, not official statuses. A provider qualifies to hold ePHI by signing a BAA and supporting the required Security Rule safeguards. Third-party audits like SOC 2 can support your due diligence, but they are not a HIPAA certification, and they do not transfer your responsibility to the vendor.

Does a BAA make my cloud storage automatically HIPAA compliant?

No. A signed BAA is mandatory before any ePHI enters the service, but it does not make storage compliant by itself. The BAA divides responsibility under the shared responsibility model: the provider secures the infrastructure, while you remain responsible for configuration, access decisions, workforce training, and using the service correctly. Compliance comes from the BAA plus the safeguards plus correct, ongoing operation.

Is encryption required for HIPAA cloud storage?

Encryption is technically an "addressable" specification under the Security Rule rather than a flatly required one, which means you could document an equivalent alternative if you genuinely had one. In practice you almost never do, and encryption in transit and at rest (for example TLS and AES-256) is the expected standard. Treat it as effectively mandatory, confirm who manages the keys, and document your decision.

Is Microsoft 365 or Google Drive HIPAA compliant?

Both can be made compliant on the right plan, and neither is compliant by default. Microsoft 365 is HIPAA eligible: Microsoft will sign a BAA and provide the controls, but you must configure encryption, access controls, MFA, and logging. Google Workspace is HIPAA eligible once you accept Google's BAA and keep ePHI in covered services. A free or personal Google Drive account is not covered, because it has no BAA and lacks the required administrative controls.

How long must I retain ePHI and HIPAA documentation?

HIPAA requires that required documentation, such as policies, procedures, risk analyses, and records of actions and assessments, be retained for six years from the date of creation or the date it was last in effect, whichever is later. Note that the six-year rule applies to HIPAA documentation specifically. Retention of the medical records themselves is generally governed by state law and can be longer, so check your state's requirements as well.

What is the difference between HIPAA-compliant cloud storage and cloud backup?

Storage keeps ePHI accessible for daily use, while backup keeps recoverable copies so you can restore after deletion, corruption, ransomware, or an outage. HIPAA requires both, because the Security Rule's availability and contingency-planning provisions expect a data backup plan, a disaster recovery plan, and the ability to produce exact, retrievable copies of ePHI. A backup vendor that stores your data is also a business associate and needs its own BAA, with the same safeguards as your primary storage.

What happens if I store ePHI without a BAA or get the configuration wrong?

Storing ePHI in a service without a signed BAA is a violation in itself, even if no breach ever occurs. Enforcement is handled by HHS OCR through tiered civil penalties based on culpability, adjusted annually for inflation, that can reach into the millions per year for serious or willful-neglect cases, alongside corrective action plans and public breach reporting. Because the dollar figures change each year, verify current amounts against HHS guidance rather than relying on a number in an article.