[HIPAA Compliant Cloud Storage] Secure & Private Storage

[HIPAA Compliant Cloud Storage] Secure & Private Storage

Which HIPAA compliant cloud storage provider is best? We’ll explore the top options, features, and pricing to help you choose the best one.

Is Google Drive HIPAA compliant? No, Google Drive is not HIPAA compliant in its default form. An organization needs to sign a business associate agreement with Google along with changing security and privacy settings to be compliant and protect the data that is being stored.

What is HIPAA and How Does it Impact Cloud Storage?

The Health Insurance Portability and Accountability Act (HIPAA) outlines the requirements healthcare providers and associated businesses have in protecting and securing patient data. At the core of HIPAA are three sections known as the HIPAA “rules”:

  1. The Privacy Rule defines what Protected Health Information (PHI) is, and the responsibilities that providers and businesses have when handling that data.
  2. The Security Rule specifies how providers and other healthcare businesses handling PHI must secure their systems to protect that data.
  3. The Breach Notification Rule outlines how providers must respond to data breaches in terms of notifying affected patients and the public.

The HIPAA Privacy Rule defines two major parties that fall under compliance requirements:

  • Covered Entities (CEs), or primary healthcare entities like clinics, hospitals, insurance companies, etc.
  • Business Associates (BAs), or businesses that handle PHI as part of a contract with a Covered Entity to furnish specific services (managing finances and payroll, providing secure email, etc.).

The rules around BAs are strict, and one of the necessary items that must be in place for any BA is a Business Associate Agreement (BAA) that outlines the BAs responsibilities and liability under HIPAA law–namely, that they are responsible for any breaches. BAA’s are necessary for compliance, but they are not the entirety of a BA’s responsibilities under HIPAA.

A cloud provider working with CEs is, by definition, a BA and must sign an agreement, prove HIPAA compliance, and take responsibility for any breaches or non-compliance issues.

HIPAA Compliance Guide

Requirements for HIPAA Compliant Cloud Storage

A HIPAA-compliant cloud provider is thus a provider that offers cloud storage, computing and other features that meet security requirements. These security controls cover several basic areas:

  1. Physical safeguards: compliant cloud providers must demonstrate the physical security measures in place that keep data from unauthorized physical access. This includes safeguards on workstations and security measures like cameras and biometric locks on data storage rooms.
  2. Technical safeguards: providers must protect data at rest and in transit, which means proper encryption, malware protection, secure transfers, and other controls.
  3. Administrative safeguards: cloud providers must build, maintain and document plans, training and protocols pertaining to security and compliance.

Any application or storage solution that handles PHI must follow Security Rule guidelines for HIPAA compliance. Providers in working relationships with CEs who do not do this will be liable for any audits or assessments that find them out of compliance. Note that penalization for non-compliance doesn’t just occur when a breach occurs. If your organization does not meet regulations, then there could be fees ranging from $100 to $50,000 per incident and jail time depending on the severity of issue.

Additionally, cloud providers offering storage for CEs must have a standing BAA with any client that includes their liability under HIPAA as well as any additional requirements of the CE.

Finally, CEs must still perform any risk assessments called for under HIPAA to maintain their compliance, and that includes managing risk associated with a cloud provider. This includes reporting and documenting audits and audit controls and keeping logs of findings to provide a context of how the CE and the BAs manage security risk.

HIPAA Compliant Enterprise Cloud Solutions for Healthcare

“Cloud” storage is a rather broad term, and it can refer to something as plain and simple storage and backup to full-featured platforms with analytics, machine learning, file transfer, and productivity tools. It’s often the case that CEs and BAs need more than just storage and backup, and as such, they’ll look to a platform provider that can give them more.

In general, you can break up these services into three paradigms:

  1. Software-as-a-Service (SaaS): SaaS platforms are what we think of when we think about web-enabled apps tied to cloud computing. The benefit of these services is that they can offer the same functionality as a piece of software without requiring anyone to download that software. Microsoft 365 (with Office online and desktop applications) and other platforms are good examples of this.
  2. Platform-as-a-Service (PaaS): Platforms “as a service” are a natural evolution of SaaS that gives enterprise clients more control over their platform. Whereas SaaS tools are often built for a company, a PaaS system gives that company more power to build their own tools on top of the cloud. These usually include an SDK and require an IT team or third-party development company to support them.
  3. Infrastructure as a Service (IaaS): The final step here is giving the company the most control over their platform as part of their infrastructure. Large hospitals, insurance networks or Integrated Delivery Networks (IDNs) benefit from IaaS systems.

If your business is to be HIPAA compliant, it must work with HIPAA-compliant cloud providers, and these services all fall under HIPAA requirements.

Top HIPAA-Compliant Cloud Storage Vendors

Provider Will Sign or Has an Established BAA Compliant Services Productivity Integrations
Accellion Yes Accellion Kiteworks Platform Microsoft Office 365 (Desktop Apps), Google Workspace, Box, Dropbox, Sharepoint
Microsoft Yes Azure Cloud, Office 365, Dynamics 365, Power Apps, Power BI Office 365 (Desktop Apps), SharePoint, PowerApps
Amazon (AWS) Yes Amazon S3 None (for dedicated cloud). .
Google Yes G Suite, Google Cloud Platform Google Workspace, Dropbox, Box
Carbonite Yes Carbonite Endpoint, Carbonite Pro, Carbonite Server None
Box Yes Box Dropbox, Office 365, Salesforce, Google Workspace


Microsoft OneDrive is a smaller application of the larger Microsoft 365 and Azure ecosystem. That’s a big deal for those looking for HIPAA-compliant storage, and it helps that Microsoft is a long-time leader in healthcare technologies like cloud, AI, and machine learning–all of which adhere to HIPAA regulations. Their cloud services also seamlessly integrate with Office 365 productivity tools and platforms like Power Platform.

Amazon (AWS)

Amazon hasn’t made as many inroads into the healthcare cloud space as competitor Microsoft, but recent developments like partnerships with several pharmaceutical companies and hospitals across the country have started to change that. While AWS isn’t known for its full set of usability features, it does support app builders and high-end hospitals to perform research and analytics compliant with HIPAA regulations.


Google has also begun to make moves into healthcare with a HIPAA-compliant version of GSuite enterprise tools. Obviously, this includes access to items like Gmail and Google Office as part of the deal. Google Health sought to be an all-in-one solution, but it was shut down in 2012 which has limited their inroads into the healthcare market somewhat. Currently, Google Workspace covers cloud storage and the Google suite of office tools, as well as connectors with Dropbox, Box and Microsoft online software (no desktop integration).


Carbonite has established itself as a secure file storage platform for years now, and it’s HIPAA-compliant data backup and recovery services help hospitals manage and secure data. It is also one of the few solutions (along with Accellion) to offer data-centric dashboards to manage data movement and use easily. However, Carbonite is also primarily known for its backup solutions rather than its feature-rich counterparts, and as such it doesn’t necessarily support productivity or interoperability with working software.


Box is one of the better known cloud storage solutions and includes a HIPAA-compliant setup that includes compliant technology and a BAA. More importantly, Box plays well with everything from Microsoft to Google as far as third-party connectors go. It does not include advanced data management, however. It does stand out as a cloud solution with wide-ranging capabilities and integrations.

The Accellion Difference for HIPAA Compliant Cloud Storage

The Kiteworks platform provides cloud storage and file transfer features that many competitors simply don’t, and these features support critical compliance and enterprise needs for hospitals and other CEs and BAs. More importantly, it does this with an emphasis on enterprise data management, including features like:

  1. Compliance: Unlike the competition, Accellion specializes in being 100% HIPAA compliant. This includes critical features like one-click auditing and reporting, necessary administrative safeguards for accounts, SOC 2 attestations for AWS and Azure physical safeguards, and HIPAA encryption. Furthermore, features like secure email rely on messaging and secure links to allow for compliant communications with third parties outside of your organization.
  2. Data Visibility and Intelligence: From data transfers to reporting and analytics, Accellion gives your organization a bird’s eye view of its data practices and usage. The Kiteworks Platform is one of the only cloud providers that includes complete data visibility through a CISO Dashboard that shows where your data is going, who accesses it and any audit logs necessary to trace security events.
  3. Security: HIPAA security is about more than just compliance; it is a critical aspect of data safety to protect ePHI. Accellion provides important security standards like AES-256 encryption for data at rest, encrypted file transfers, encrypted emails, and more.
  4. Integrations: The Kiteworks platform integrates with Microsoft and Google productivity tools so compliance doesn’t get in the way of your team doing actual work. Unlike many other solutions, the Kiteworks platform works with the desktop Microsoft apps seamlessly for easy access and editing. It also works well with other cloud solutions like Box and Dropbox.

If you are a healthcare CE or BA that wants a rock-solid solution for cloud storage, secure content access, secure email, and compliant healthcare analytics, then look to the Kiteworks platform. We offer critical information access controls that maintain adherence to HIPAA security regulations across administrative, physical and technical safeguards without sacrificing productivity, flexibility or data visibility for your entire organization.

Access our HIPAA Compliance Guide to learn how Accellion keeps you HIPAA compliant. Likewise, learn more about Accellion’s HIPAA-compliant Hybrid Cloud Deployment.

HIPAA Compliance Guide

*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Accellion authored by Vince Lau. Read the original post at: