What is HIPAA-Compliant Cloud Storage?

November 11th, 2016

HIPAA-compliant cloud storage complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure the security of healthcare patients’ data stored on remote servers accessed from the internet.

HIPAA governs how healthcare providers and their business associates, as defined in the Act, can store, manage, and share personal health information (PHI). If you’re a healthcare provider (or a cloud storage provider working with a healthcare provider), it’s important to understand how HIPAA applies to cloud storage.

With the rising popularity of services like iCloud and Dropbox, many people and companies have become more comfortable with cloud storage. There’s no question these services are convenient; being able to access universally synced data anytime, anywhere, from any device, is incredible.

HIPAA-compliant cloud storage

But that doesn’t mean these services are HIPAA-compliant. HIPAA introduces particular requirements that not every cloud storage provider satisfies.

Don’t make the mistake of assuming that a particular cloud storage option will comply with HIPAA. Storing your data “in the cloud” can make it difficult to achieve the level of security required of healthcare.

Here’s what you need to know about cloud storage to make sure your data is safe and sound — and HIPAA-compliant.

Understanding HIPAA Compliance

HIPAA has four rules — the privacy rule, the security rule, the enforcement rule, and the breach notification rule — and three requirements that outline how PHI is stored, transmitted, accessed, and more.

HIPAA’s three requirements are:

Administrative Safeguards

Healthcare providers and their business associates must have policies and procedures in place to ensure the proper management, training, and oversight of staff who contact or manage PHI.

Technical Safeguards

These requirements concern systems infrastructure and things like encryption, audit controls, and data storage.

Physical Safeguards

This pertains to the physical servers and how they secure data. It includes data redundancy and failure requirements, access to servers, and more.

These three requirements, in addition to HIPAA’s four rules, cover a lot of ground. The following considerations are important, but should not be regarded as a complete checklist of what you need to take into account when ensuring HIPAA compliance. Cloud storage is just one area of your business that requires HIPAA compliance — the rules also apply to websites, email, videoconferencing, and more.


Encryption is an important part of ensuring your data is secure. Every step of the way, your data must be encrypted. Not only must the data in the cloud itself be encrypted, but the methods you use to move data to and from the cloud servers must be secured as well.

A Multi-Tenant Environment

Your cloud storage provider must have a multi-tenant environment to prevent data from being combined with other data, and to prevent other tenants from gaining access to your data. You don’t want your data getting mixed up with the data of a company that happens to use the same cloud storage provider. Additionally, the data and equipment your cloud storage provider uses should be physically isolated and protected.

Access Control and Validation Procedures

As part of the administrative and physical safeguards required by HIPAA, companies must develop and implement procedures to control and validate a person’s access to the data stored in the cloud. If you intend to use cloud storage, ask potential providers what their procedures are.

Business Associate Agreements

When a technology provider delivers a service to a healthcare organization, they are considered a business associate as defined by HIPAA. Healthcare providers and business associates must sign business associate agreements (BAA). A BAA is essential in ensuring everyone understands their HIPAA obligations. It also identifies the role the hosting company takes and who is  responsible should any breaches occur.

Remember: If a company will not sign a BAA, you cannot use them for HIPAA-compliant cloud storage services. It’s as simple as that.

Risk Assessment

When providing HIPAA-compliant cloud storage, consider conducting a risk assessment and asking any cloud storage providers to conduct one as well. This will identify potential issues and help you feel confident that you are covering all your bases.

Evaluating Public Cloud Storage Vendors

With this understanding of HIPAA as it applies to cloud storage, we can consider some of the available public cloud vendor services and see whether they are HIPAA compliant.


Dropbox signs BAAs and also makes available a third-party assurance report evaluating their controls for HIPAA Security, Privacy, and Breach Notification rules. It also maps its internal practices and recommendations for customers who want to comply with HIPAA. It provides this guide, which outlines its Dropbox Business practices with respect to HIPAA.

Amazon S3

Although Amazon S3 is not HIPAA-compliant on its own, Amazon AWS can be used to create HIPAA-compliant cloud storage. It takes some effort, though. Amazon AWS doesn’t take care of HIPAA-compliant cloud storage from start to finish. Instead, they provide you with dedicated servers and a BAA, leaving the rest up to you.

Setting everything up to be HIPAA-compliant is a bit of task. If you have an IT professional who can take of it, it may be worth investigating further.


Apple won’t sign a BAA, taking it out of the running for HIPAA-compliant cloud storage.

Google Drive

Google Apps for Business will sign a BAA covering paid services for Gmail, Google Drive, Google Calendar, and Google Vault. However, it’s up to the business itself to configure those services to be HIPAA-compliant. In addition, all other Google services must be disabled from the domain, isolating these four.


LuxSci signs a BAA and provides the security controls needed for HIPAA-compliant cloud storage in its WebAide Documents.  LuxSci also provides mechanisms for sharing stored files between and with external people.

The Difference With Private Cloud Storage Vendors

A private cloud is a set of virtual private servers (VPS) under your complete control. This is different from cloud vendors like Google Drive or Dropbox because you get to control the underlying hardware and software, and the environment is not shared with anyone else. Private clouds are also easy to configure and upgrade as security needs change.

When it comes to ensuring secure, HIPAA-compliant cloud storage, the stakes are high. Fines for breaches and non-compliance are significant. Take the time to find the right cloud storage vendor for your needs. It’s important you feel confident your cloud storage vendor complies with HIPAA and maintains the security of your data.