The 7 best HIPAA-compliant cloud storage solutions for your practice

Have you heard the horror stories? A celebrity’s personal pictures are stolen from the cloud and distributed online. A Fortune 500 company’s cloud storage is hacked and data from thousands of customers sold.

While some industries may just get a slap on the wrist for this type of breach, in healthcare the stakes are much higher. HIPAA violations cost a lot of money, and the damage a hacker can do with patient information is incalculable.

If your organization is HIPAA compliant, you don’t just need to keep your cloud data safe. It has to be HIPAA safe. What does that mean?

The Health Information Technology for Economic and Clinical Health Act (HITECH) clarified how healthcare providers need to secure electronic protected health information (PHI). This law also ensures that regulations stay current with quickly advancing technologies like cloud storage.

HITECH states that healthcare providers aren’t the only ones who need to stay compliant. In fact, any storage services and apps you use have to meet HIPAA security guidelines as well.

According to the law, your cloud storage service has to provide you with a business associate agreement (BAA) stating that they’re HIPAA compliant.

Not every cloud storage service is up to the challenge. As a rule, a HITECH-compliant cloud storage service has to provide you with

  • A permission-based system that limits access by unauthorized users
  • Access monitoring
  • Audit trails
  • Strong data encryption during data upload, download, and storage
  • Administrative controls
  • Third-party integrations for HIPAA-compliant apps

While the HIPAA-compliant cloud storage service is responsible for providing these tools, it’s still up to you as a healthcare provider to set up these tools and use them properly. To make your decision easier, let’s look at seven of the best HIPAA-compliant cloud storage services.

Pro Tip


Integrate HIPAA-compliant forms with Dropbox, Google Drive, or Box.

HIPAA-Compliant Cloud Storage Solutions

1. Dropbox

Dropbox is a mainstay of the cloud storage industry. But you can’t just sign up for a standard Dropbox account and start transferring PHI. You need a business account to get HIPAA-compliant storage through Dropbox.

Dropbox’s business service is HITECH and HIPAA compliant. It will cost your practice a nominal $12.50 a month for five users. Dropbox offers what they refer to as a “robust ecosystem” of third-party apps that you can integrate directly into your HIPAA-compliant cloud storage to enhance functionality and efficiency. JotForm’s HIPAA-compliant form-building service can be fully integrated into your Dropbox account.

When choosing third-party apps, you’ll need to evaluate each app’s compliance. Third-party apps aren’t included in your BAA and some may not be safe to use. So check first.

As a bonus, Dropbox also offers unlimited data storage and document recovery services.

2. Google Drive

To use Google Drive as your HIPAA-compliant cloud storage solution, first, you have to request a BAA from the company under your G Suite account. This BAA will cover many common Google Cloud programs like Docs, Sheets, and Slides. But it will exclude some applications that haven’t been deemed HIPAA compliant.

With Google Drive, you’ll have full control over audits and tier permission structures to help you protect PHI.

You’ll pay $5 for one user for the 30 GB plan. This tier will allow you to store quite a bit of data. If you outgrow the 30 GB plan, you can always upgrade to unlimited storage for $10 per user per month.

3. Microsoft OneDrive

If you have enterprise cloud services through OneDrive, you can request a BAA. Microsoft also offers a few tiers of security — the most expensive costs $35 per month. This tier lets you benefit from state-of-the-art security solutions and easily integrates with organizations that already use Microsoft’s full suite of products.

4. Carbonite

“Way back” in 2005, before most people had heard of the cloud, Carbonite was offering small businesses and individuals a safe way to store files online. Today more than 1.5 million customers use their cloud services. Carbonite offers off-site backup and additional disaster recovery services that truly set it apart. Carbonite also has very strict safety protocols.

Instead of paying a monthly fee per user, you’ll pay for an annual plan for your organization. Plans start at $269.99 per year and can cost $1,299.99 per year for large organizations.

5. Box

Box is a lesser-known HIPAA-compliant cloud storage service that’s positioned itself as the right solution for healthcare providers. It offers access monitoring and audit trails so that you can verify what data was accessed, when it was accessed, and who accessed it.

Like other cloud storage services, Box integrates with Salesforce, JotForm, Google, and other useful applications for a seamless user experience across platforms without jeopardizing PHI security. As an added benefit, you can easily and securely view DICOM files (such as x-rays, ultrasounds, and CTs).

6. SpiderOak One Backup

SpiderOak protects against a wide range of cyber attacks. Standing out among its competitors with its “No Knowledge” policy, even SpiderOak’s staff doesn’t know what’s in your data. In order to provide the highest level of security, SpiderOak One Backup stores all data in encrypted form. The data is encrypted on your device before going to cloud storage. SpiderOak will provide a BAA upon request.

A free 21-day trial is available for One Backup. Paid plans have four tiers depending on the storage size. The lowest tier costs $6 per month for 150 GB of storage, whereas the 5 TB plan costs $29 per month. The price drops if you purchase the product for at least a year.

7. AWS

As a tech colossus, Amazon offers a great deal of credibility and sophistication in the cloud storage business. Amazon Web Services (AWS) provides data storage and transfer through secure and durable networks. You can store and back up your medical data with different AWS products depending on the type of data.

AWS provides guidance on how to manage and configure HIPAA-compliant cloud storage, which can be helpful for beginners. You can encrypt your patient health information (PHI) on both ends — the client side and the server side. Amazon will also sign a BAA with your healthcare organization.

With its flexible payment plan, AWS provides pay-as-you-go services. You don’t need to commit to a long-term contract. Pricing varies depending on tier, region, and storage size.

Keeping your cloud storage HIPAA compliant

By choosing a reputable cloud storage provider, checking the permissions of your third-party apps, gathering patient data with HIPAA-compliant forms, and making good use of audit trails, you can ensure that your cloud storage doesn’t conflict with HIPAA standards.

This article is originally published on Dec 10, 2018, and updated on Jun 03, 2021.
Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form. The views stated herein are for discussion only, and are not intended to constitute medical advice or any other advice, procedures, or guidelines for diagnosing or treating any medical condition or for any aspect of the practice of medicine.

Send Comment:

JotForm Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.