Best HIPAA-Compliant Cloud Storage (2025): AWS, Azure, Google Cloud & More
Storing protected health information in the cloud requires a provider that signs a BAA and meets HIPAA technical safeguards. Major cloud platforms like AWS, Azure, and Google Cloud all offer HIPAA-eligible services, but proper configuration is essential. This guide covers leading HIPAA-compliant cloud storage options with their BAA availability, encryption standards, and required setup steps.
AWS S3, Azure Blob Storage, Google Cloud Storage, and Box all offer HIPAA-compliant cloud storage with signed BAAs. Each requires specific configuration including encryption, access controls, and audit logging to maintain compliance.
Compliance Assessment
AWS signs a BAA covering S3 and 100+ HIPAA-eligible services. Offers SSE-S3, SSE-KMS, and SSE-C encryption options with comprehensive IAM controls.
Microsoft signs a BAA covering Azure services. Provides encryption at rest by default, Azure AD access controls, and Azure Monitor audit logging.
Google signs a BAA covering GCS as a core service. Default encryption at rest with AES-256, IAM policies, and Cloud Audit Logs.
Box offers a BAA on Business Plus and Enterprise plans. Provides AES-256 encryption, granular access controls, and Box Shield for threat detection.
Dropbox signs a BAA on Business Advanced and Enterprise plans. Requires disabling third-party integrations and configuring sharing restrictions.
All major compliant providers encrypt data at rest by default using AES-256. Customer-managed keys (CMEK) are available for additional control.
All providers use TLS 1.2+ for data in transit, meeting HIPAA transmission security requirements.
IAM, RBAC, and bucket/container-level policies are available on all major platforms to enforce minimum necessary access.
AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs, and Box admin logs all provide the audit capabilities required by HIPAA.
AWS, Azure, and GCP allow selecting storage regions. Box offers data residency on Enterprise plans. Must be configured to keep PHI in approved regions.
Business Associate Agreement (BAA)
AWS: BAA available through AWS Artifact, covering 100+ HIPAA-eligible services including S3. Azure: BAA included in Microsoft Online Services Terms. Google Cloud: BAA accepted in the Cloud Console, covering core GCS services. Box: BAA available on Business Plus and Enterprise plans. Dropbox: BAA available on Business Advanced and Enterprise plans.
How to Make HIPAA-Compliant Cloud Storage HIPAA Compliant
Sign a BAA with your chosen cloud storage provider before uploading any PHI.
Enable server-side encryption (SSE) with provider-managed or customer-managed keys for all storage buckets/containers.
Configure IAM policies to enforce least-privilege access — no public buckets or containers.
Enable audit logging (CloudTrail, Azure Monitor, Cloud Audit Logs) and retain logs for at least six years.
Set up automated monitoring for public access misconfigurations and unauthorized access attempts.
Configure data lifecycle policies for automatic encryption key rotation and secure data deletion.
Limitations
- Cloud storage compliance is a shared responsibility — the provider secures infrastructure, you secure configuration and access.
- Customer-managed encryption keys add complexity and require your own key management processes.
- Data residency guarantees vary by provider and may not cover all processing (e.g., CDN, caching layers).
- Third-party applications accessing cloud storage must have their own BAAs and compliance measures.
- Cost can escalate with HIPAA-required features like audit logging, encryption key management, and extended retention.
Alternative Tools & Related Assessments
Frequently Asked Questions
What is the best HIPAA-compliant cloud storage?
AWS S3, Azure Blob Storage, and Google Cloud Storage are the top HIPAA-compliant cloud storage options for organizations that need infrastructure control. Box is excellent for file sharing and collaboration use cases.
Is AWS S3 HIPAA compliant?
Yes. AWS S3 is a HIPAA-eligible service. You must sign a BAA through AWS Artifact, enable encryption, configure IAM policies, and enable CloudTrail logging.
Can I store patient records in the cloud?
Yes, you can store patient records in HIPAA-compliant cloud storage with a signed BAA, encryption at rest and in transit, access controls, and audit logging properly configured.
Is Google Drive HIPAA compliant?
Google Drive via Google Workspace is covered under the Google BAA. You must accept the BAA in the Workspace Admin Console and configure sharing, access, and retention settings appropriately.
What encryption is required for HIPAA cloud storage?
HIPAA requires that PHI be encrypted at rest and in transit. AES-256 encryption at rest and TLS 1.2+ in transit are the industry standards that satisfy these requirements.
Is Dropbox HIPAA compliant?
Dropbox can be HIPAA compliant on Business Advanced and Enterprise plans with a signed BAA. The free, Plus, and standard Business plans do not qualify.
What is the shared responsibility model for HIPAA cloud storage?
The cloud provider secures the infrastructure (physical security, network, hypervisor). You are responsible for configuring access controls, encryption settings, audit logging, and ensuring proper use of the service.
Generate HIPAA policies for your stack
PoliWriter creates all the HIPAA policies you need, customized to tools like HIPAA-Compliant Cloud Storage and your specific configuration. AI-powered, audit-ready, hours not months.
Get Started Free