Top HIPAA/HITECH-Compliant Cloud Storage Providers
1. Microsoft OneDrive for Business / SharePoint (via Microsoft 365)
- Compliant: Yes, with a signed BAA
- Encryption: AES-256-bit encryption in transit and at rest
- Access Controls: Role-based access, multi-factor authentication (MFA)
- Best For: Businesses already using Microsoft 365
Microsoft offers a HIPAA BAA as part of its Microsoft Online Services Terms (OST) agreement.
You can review and accept the BAA through the Microsoft Service Trust Portal:
- Go to Microsoft Compliance Center
- Sign in with your Microsoft 365 admin account
- Navigate to Compliance > Reports > Audit and Compliance Reports
- Look for the Business Associate Agreement (BAA) and review the terms
- If you have Microsoft 365 Business, Enterprise, or Government plans, the BAA is included automatically once you agree to the terms.
📌 More info: Microsoft HIPAA Compliance
2. Google Drive (via Google Workspace Business & Enterprise)
- Compliant: Yes, with a BAA (requires Business Standard, Business Plus, Enterprise, or G Suite for Nonprofits)
- Encryption: AES-256-bit encryption
- Access Controls: Admin controls, data loss prevention (DLP), audit logs
- Best For: Teams using Google services
You can sign a BAA with Google through the Google Admin Console:
- Go to Google Admin Console (admin.google.com)
- Click on Account Settings > Legal & Compliance
- Select Review and Accept the HIPAA Business Associate Amendment
- Confirm acceptance
📌 More info: Google HIPAA Compliance
3. Dropbox Business (Dropbox Enterprise)
- Compliant: Yes, with a BAA (only for Business and Enterprise plans)
- Encryption: AES-256-bit encryption
- Access Controls: User permissions, MFA, activity tracking
- Best For: Simple file storage with team collaboration
- Log in to your Dropbox Business Admin Console
- Navigate to Settings > Account Settings
- Find the HIPAA Compliance section and request a BAA
- Dropbox will provide a custom agreement for you to sign
4. Box (Enterprise Plan)
- Compliant: Yes, with a BAA
- Encryption: AES-256-bit encryption
- Access Controls: Advanced permission settings, integration with identity management systems
- Best For: Large businesses with strict compliance needs
- Upgrade to Box Enterprise or Business
- Contact Box Sales or Support to request a BAA
- Box will provide the agreement for review and signature
📌 More info: Box HIPAA Compliance
5. Amazon AWS (S3 with HIPAA Controls)
- Compliant: Yes, when properly configured and a BAA is signed
- Encryption: AES-256-bit encryption at rest, TLS for data in transit
- Access Controls: IAM policies, audit logs
- Best For: Companies needing a scalable, customizable cloud solution
- Log in to AWS Management Console
- Navigate to AWS Artifact (AWS Compliance Center)
- Under Agreements, select "Request Business Associate Addendum".
- Sign the BAA electronically
- AWS will activate HIPAA-compliant features once signed
📌 More info: AWS HIPAA Compliance
6. Tresorit
- Compliant: Yes, with BAA
- Encryption: End-to-end encryption (Zero-Knowledge architecture)
- Access Controls: User and device management, MFA
- Best For: Maximum security with zero-knowledge encryption
You must contact their support team to request and sign the agreement.
📌 More info: Tresorit HIPAA Compliance
Choosing the Right Solution
- If you're using Microsoft 365 or Google Workspace, OneDrive or Google Drive will be the easiest to integrate.
- If you need advanced security and compliance, Box or Tresorit are great choices.
- If you require a highly customizable and scalable option, AWS S3 is ideal but requires more setup.
Final Notes:
- You must configure security settings properly after signing the BAA. A signed BAA alone does not make you HIPAA compliant—you must follow encryption, access control, and audit log best practices.
- Need help setting up your HIPAA-compliant cloud storage? Contact Pacific Northwest Computers at 360-624-7379 or text 503-583-2380, and we can help assist you! 😊
