How to Ensure You are Using HIPAA Compliant Cloud Data Storage

Learn about HIPAA compliant cloud storage, how to identify if your provider is compliant and which cloud companies are compliant with HIPAA regulations

For healthcare organizations and other HIPAA covered entities, the most important consideration when selecting a cloud data backup and disaster recovery service is whether the provider offers HIPAA compliant cloud service provider

Today, more and more healthcare organizations are turning to the cloud due to the convenience, affordability, and plethora of advantages it brings. Indeed, as recent research has shown, the global market for cloud technologies in the healthcare industry is expected to grow by $25.54 billion between 2020 and 2024.

As the report notes, “Deploying cloud computing in healthcare ecosystems offers various advantages, including cost savings, enhanced flexibility, and system scalability to the organizations.”

Diagram of growth of cloud technologies in the health care industry

(Image source:

However, while there is no doubt that utilizing cloud services for data storage offers many benefits, healthcare organizations must ensure that a HIPPA compliant cloud storage service is used to store the protected health information (PHI) of patients.

This is crucial for HIPAA compliance. But what is HIPAA complaint cloud storage exactly, and what do you need to look out for when selecting cloud storage services from vendors?

What Is HIPAA Compliant Cloud Data Storage?

Via the HIPAA Security Rules, HIPAA requires that healthcare organizations ensure the adequate protection of PHI and electronic PHI (ePHI) through appropriate technical, physical, and administrative safeguards.

In effect, this means that HIPAA compliance depends on the actions of people as much as it does on data security technology. Importantly, these mandates not only concern healthcare organizations themselves, but any cloud service providers they work with as well.

A HIPAA compliant cloud storage service provider will meet implement the necessary technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of all ePHI in its control.

So, let’s break down the safeguards and data security controls your cloud storage partner must provide to ensure HIPAA compliance.

Technical Safeguards

The HIPAA Journal provides a HIPAA Compliance Checklist detailing the three types of safeguard all HIPAA covered entities and their business associates must implement to comply with the HIPAA Security Rule.

Technical safeguards are those that rely on technology to protect ePHI and control access to it. The most important function of any technological storage is that all ePHI data – whether at rest or in transit – is encrypted to NIST standards. This ensures that the data is indecipherable and unusable should a cybersecurity breach occur.

Further to this, the following technical safeguards must also be implemented.

Written description of implementation of technical safeguards HIPAA compliant cloud storage

(Image source:

Administrative Safeguards

Administrative safeguards refer to the policies and procedures HIPAA covered entities and cloud storage providers put in place to ensure the ongoing protection of PHI.

A crucial element of administrative safeguarding is regular risk assessments, which must be carried out by an assigned Security Officer and Privacy Officer. These officers are also responsible for putting measures in place to protect ePHI, and for governing the HIPAA compliant conduct of the workforce.

Written implementation of administrative safeguards HIPAA compliant cloud storage

(Image source:

Your HIPAA Compliant Cloud Storage Provider Must Sign a Business Associate Agreement

Under HIPAA, any third-party a healthcare organization works with – including cloud storage providers – is classed as a business associate (BA). Business associates must also comply with HIPAA and sign a business associate agreement (BAA) with the healthcare organization before any data is uploaded to the BA’s cloud storage facility.

This is absolutely crucial. No cloud storage service is HIPAA compliant unless a BAA has been signed.

A BAA outlines exactly what the responsibilities of all parties are when it comes safeguarding ePHI.

What cloud storage is HIPAA compliant?

While many popular cloud storage service providers will sign a BAA, not all are prepared to do so.

Two prominent examples are WeTransfer and Apple iCloud – meaning that neither service provides HIPAA compliant cloud storage.

The answer to the question “Is iCloud HIPAA compliant?” is a no. If the cloud storage provider will not sign a Business Associate Agreement (BAA), then they cannot be HIPAA compliant.

Other vendors will sign a BAA. These include Google Drive, Dropbox, Microsoft OneDrive, and Amazon Web Services (AWS). However, what’s important to note is that although they each support HIPAA compliance, the agreement will typically outline that it is down to the healthcare organization itself (not the cloud storage provider) to configure the system in accordance with HIPAA requirements.

This includes implementing and configuring access controls, audit controls, authentication controls, and in some cases encryption.

These are complicated processes and require constant monitoring and attention. As such, the best solution is to utilize the services of a HIPAA compliant cloud storage specialist.

HIPAA Compliant Cloud Storage with Central Data Storage

Ultimately, healthcare organizations have two main types of cloud storage providers to consider – generalists that support HIPAA by signing a BAA, and HIPAA specialists that work hand in hand with healthcare organizations to ensure HIPAA compliance.

Invariably, going with a HIPAA compliant cloud storage specialist is the best option.

At Central Data Storage, in addition to our beyond-military-grade cloud storage and file sharing solutions, we also offer round-the-clock service, data storage support, and ongoing guidance on best practices for HIPAA compliance.

HIPAA compliant cloud storage is our business, and our product, UnisonBDR, demonstrates that nothing is more important to us than the security of your ePHI, and we pride ourselves on developing true partnerships with the businesses we work with.

We help our clients develop policies, procedures, training programs and disaster recovery plans, and make sure they have technical, administrative, and physical safeguards implemented effectively.

We are approved by third-party auditors as 100% compliant with HIPAA, as well as the Health Information Technology for Economic and Clinical Health Act (HITECH), and the General Data Protection Regulation (GDPR).

Want to learn more about our UnisonBDR for storage, backup, and recovery and WisperMSG for secure file transfer? Call 1-888-907-1227, email, or sign up today  

Scroll to Top