may earn a small commission from some purchases made through our site. However, any earnings do not affect how we review services. Learn more about our editorial integrity and research process.

The Best HIPAA Compliant Cloud Storage

The Best HIPAA-Compliant Cloud Storage in 2024: Storing Medical Data

HIPAA compliance is a must for healthcare providers operating in the United States, and storing patient data in the cloud requires special considerations. That’s why you need to make sure you’re using the best HIPAA-compliant cloud storage available. Keep reading for our full list, as well as tips on what to look for in a cloud storage service.

Aleksandar KochovskiAleksander Hougen

Written by Aleksandar Kochovski (Editor)

Reviewed by Aleksander Hougen (Managing Editor)

Last Updated: 2024-02-12T11:20:00+00:00

All our content is written fully by humans; we do not publish AI writing. Learn more here.

Healthcare workers spend a lot of time handling sensitive patient data. However, storing that data locally on physical computers isn’t always the smartest choice, especially with the onslaught of ransomware attacks that can cripple a healthcare institution. If you’re a healthcare professional, backing up your organization’s data to a HIPAA-compliant cloud storage service is a must.

HIPAA (or the Health Insurance Portability and Accountability Act of 1996) is a law that regulates how healthcare organizations handle their patients’ data, ensuring doctor-patient confidentiality. However, cloud services very rarely offer the level of security and privacy needed to keep such sensitive data safe.

Key Takeaways:

  • The increased use of cloud computing in healthcare means there is a rising need for HIPAA-compliant cloud storage services, but finding the right one can be tricky.
  • is the best HIPAA-compliant cloud service, offering a triple threat of zero-knowledge encryption, access control and a low price point.
  • Google Drive, OneDrive and Dropbox all technically offer HIPAA compliance, though their history of mishandling user data means you’d be wise to stay away from them.

In this article, we’ll list several HIPAA-compliant cloud storage services and explain what it takes to comply with HIPAA. Our top pick is the ultra-secure for Teams, which offers zero-knowledge encryption and advanced user management features. We’ll also shed light on a few cloud services to avoid, so be sure to stick around.

  • 06/25/2022

    Updated’s Teams pricing.

  • 07/30/2022

    Updated to reflect an increase in IDrive’s free plan to 10GB of storage.

  • Updated IDrive’s pricing information.

The Top VPNs for HIPAA

  1. 1
    • :
    • : Unlimited GB
    • :
    • :
    • :
    • :
    1TB - Unlimited GB$6 / month(All Plans) 30-days money-back guarantee
  2. 2
    • :
    • : 100 GB
    • :
    • :
    • :
    • :
    1TB - 1TB$10 / month(All Plans)
  3. 3
    • :
    • : 150 GB
    • :
    • :
    • :
    • :
    100GB - Unlimited GB$5 / month(save 28%)(All Plans)
  4. 4
      100GB - 5TB$2.95 / month(All Plans)
    • 5
        Unlimited GB$7.88 / month(save 12%)(All Plans)

      What Makes the Best HIPAA-Compliant Cloud Storage

      HIPAA compliance requires quite a few technical safeguards against data breaches. While we usually hold encryption to be the number-one deciding cloud security factor, there are so many other things to look out for when determining HIPAA compliance, like data access management and implementing the correct policies and procedures. Here are the five best HIPAA cloud storage services.

      1. for Teams — Secure and affordable HIPAA-compliant cloud
      2. Box Business — Unlimited secure storage
      3. Egnyte Connect — Granular user management and data access controls
      4. IDrive for Business — Zero-knowledge online backup service with cloud storage functionality
      5. Backblaze — Fast and affordable cloud backup service

      What Is Protected Health Information (PHI)?

      The term “protected health information,” or PHI, refers to patient data that’s covered by HIPAA. This could include your medical history or prescriptions, as well as personally identifying data, like your ethnicity, gender and birthday.

      A HIPAA-covered entity must make sure that this data isn’t disclosed to anyone other than the patient, except for when it needs to be disclosed to provide patient care. In electronic form, this data is referred to as “electronic protected health information,” or ePHI.

      HIPAA-covered entities and business associates must follow strict rules regarding the handling of this data. A storage service must provide encryption and protection for PHI while it’s in transit, as well as when it’s on its servers (known as end-to-end encryption). It must also provide strict control and overview of who can access it and provide detailed logs of access attempts.

      What Is a Business Associate Agreement (BAA)?

      No matter what its marketing team states, a cloud storage service can’t just call itself HIPAA compliant. HIPAA compliance relies on the proper implementation of the cloud service by its user, but the cloud service must provide the means to do so.

      Among the various HIPAA rules is a provision that states that anyone handling patient information and medical data must be a business associate of the healthcare organization. To that end, the cloud operator and the healthcare organization must sign a business associate agreement (or BAA) that regulates their relationship.

      The 5 Best HIPAA Cloud Storage Services

      These five services provide the best provisions for HIPAA compliance, allowing you to fully embrace every HIPAA rule. Let’s dive into our number-one choice: for Teams.

      1. for Teams website interface for Teams is the best HIPAA-compliant cloud storage service.

      More details about for Teams:

      • Pricing: $6 per user per month for 1TB storage
      • Provider website:


      • Zero-knowledge encryption
      • Administrator controls
      • Offers BAAs


      • Slow speeds is our favorite cloud storage service overall, and its business version — for Teams — tops this list too. We’ve long touted its outstanding security, driven by zero-knowledge encryption. It’s based in Canada, which means that it’s beholden to PIPEDA, a Canadian law protecting data privacy that includes health information.

      The service offers control over user permissions, which lets you control who is able to see PHI. It also gives administrators oversight over user activity, including activity logs.

      To add to all of this, offers some of the best deals in cloud storage, and even offers plans with unlimited cloud storage. You can read our full for Teams review for more details or sign up for its 5GB free plan.

      • Price per user. Users: 2+
      • 1TB
      • Price per user. Users: 2+
      • Unlimited GB
      • Users: 2+
      • Unlimited GB

      2. Box Business

      best cloud storage for teams box
      Box Business offers a few useful features for HIPAA compliance, but client-side encryption is a separate purchase.

      More details about Box Business:

      • Pricing: 14-day free trial; $20 per user per month for unlimited storage
      • Provider website:


      • Client-side encryption
      • Two-factor authentication for collaborators
      • Unlimited storage


      • Client-side encryption is a paid add-on
      • Could be cheaper

      Coming in at number two is Box Business. This excellent business cloud service provider is another juggernaut in the enterprise cloud storage sphere and, like the other services on this list, is very secure. Unfortunately, client-side encryption requires an additional purchase, and you can’t even get it on the cheapest plan.

      That said, Box is HIPAA compliant and offers advanced user control and activity oversight. Its privacy policy states that it collects quite a large amount of data from its users, but fortunately, it’s nothing that could compromise the privacy of patients’ healthcare data. It also has two-factor authentication for people outside the organization.

      Box Business isn’t cheap, though all of its plans come with unlimited storage to make up for it. Despite the price, it’s still a solid service, deserving of the third spot. Check out our Box Business review or sign up for a 14-day free trial.

      • Single user
      • 10GB
      Business Starter
      • Price per user, minimum of three users
      • 100GB
      More plans
      Business Plus
      • Users: No limit
      • Unlimited GB
      • Users: No limit
      • Unlimited GB

      3. Egnyte Connect

      egnyte user management
      Egnyte Connect is a secure, high-end business cloud storage, with a matching price point.

      More details about Egnyte Connect:

      • Pricing: 15-day free trial; $20 per user per month for 1TB storage
      • Provider website:


      • Zero-knowledge
      • Very deep access controls


      • Client-side encryption only on most expensive plan
      • Pricey

      The third place on this list goes to Egnyte Connect. It’s a stellar business cloud storage solution, and it offers excellent security too. Egnyte Connect has user-management features galore, and it even has intelligent data lifecycle management features.

      All of Egnyte’s plans are HIPAA compliant, although only its Enterprise plan carries zero-knowledge encryption. Still, that doesn’t mean Egnyte isn’t secure. In fact, it’s one of the most secure EFSS services we’ve tested. It also offers single sign-on (SSO) to make user management easier.

      Egnyte isn’t the cheapest, with its 1TB plan being more than twice as expensive as’s. Because of this and the lack of client-side encryption on cheaper plans, Egnyte only manages to hit second place on this list. Read our full Egnyte review for more, or take advantage of its 15-day free trial.

      • Price per user; Secure collaboration; Privilege management; Ransomware protection
      • 1TB
      Enterprise Lite
      • Everything in Business; 3rd-party source support; Content lifecycle management; Threat detection
      • 1TB
      • Everything in Enterprise Lite; Privacy & compliance; Advanced ransomware protection & recovery; Content safeguards
      • 1TB

      4. IDrive for Business

      IDrive desktop app backup tab
      IDrive for Business is a service that blends online backup and cloud storage feature.

      More details about IDrive:

      • Pricing: 10GB free; $69.65 per year for 5TB, 5 users and 5 devices
      • Provider website:


      • Zero-knowledge
      • Inexpensive


      • Cloud storage isn’t its primary purpose

      IDrive for Business isn’t a cloud storage service per se, focusing on online backup instead. It comes with cloud storage and sync capabilities, and it can be used in a HIPAA-compliant manner, offering a BAA for interested parties.

      When it comes to backup, IDrive offers a ton of functionality, and it also offers user and access management features for the purposes of HIPAA. When it comes to PHI privacy, we have no complaints, as it comes with zero-knowledge encryption out of the box.

      In terms of pricing, IDrive is relatively cheap for the storage it offers, although still provides more value with its unlimited plan. If you need its backup capabilities, IDrive is a worthy service, but because cloud storage is its secondary function, we’ve relegated it to fourth place.

      • No credit card required.
      • 10GB
      • One user, multiple computers. Plans starting from 5TB up to 100TB. Big discount for first-time signup.
      • 5TB
      More plans
      • 5 computers, 5 users. Starting at 5TB up to 500TB. Big discount for first-time signup.
      • 5TB
      • Unlimited users, multiple computers and servers. NAS devices. 250GB storage. Starting at 250GB up to 50TB. Large discount for first-time signup.
      • 250GB

      5. Backblaze

      backblaze web interface
      Backblaze is a backup solution that makes it easy to comply with HIPAA rules.

      More details about Backblaze:

      • Pricing: 15-day free trial; $60 per license per year for unlimited storage
      • Provider website:


      • Very cheap
      • Unlimited storage


      • Flawed zero-knowledge encryption

      Backblaze is another cloud backup service, second only to IDrive in the backup world. Backblaze is HIPAA compliant and lets you sign a BAA. Unfortunately, it offers no cloud storage functionality, so it’s only good for backing up PHI.

      Backblaze offers zero-knowledge encryption, but its implementation is a little iffy. It essentially forces you to reveal your encryption key every time you want to restore data, which isn’t ideal. The company claims that it deletes the key immediately after decryption, and we’ll give it the benefit of the doubt here.

      Backblaze offers relatively affordable unlimited storage and charges you on a per-device basis. You can read our full Backblaze review for all the details, or start a 15-day free trial.

      Other Services That Offer a Business Associate Agreement 

      Although some cloud services can be used in compliance with HIPAA and let you sign a BAA with them, we still do not recommend using them if they don’t offer zero-knowledge encryption. 

      Zero-knowledge encryption (or client-side encryption) means that your organization is the only one with access to its encryption keys.

      If a service is able to decrypt your files, then it can access them despite a signed BAA. This includes disclosing user data to law enforcement under a court subpoena, which can include your patients’ PHI. The following services let you sign a BAA, but don’t offer client-side encryption.

      1. Microsoft OneDrive

      microsoft onedrive features
      Microsoft OneDrive can be HIPAA-compliant, but doesn’t offer client-side encryption.

      OneDrive offers HIPAA compliance to businesses and lets you sign a BAA, but it’s not without its issues. It only recently adopted encryption for its cloud storage (an absolutely basic security feature), which is telling of Microsoft’s attitude toward privacy. Not only that, but the service is not zero-knowledge and Microsoft is known for harvesting user data, much like the next service on this list.

      2. Google Drive

      google drive web interface
      Google Drive is another HIPAA-compliant cloud service that doesn’t care too much about user privacy.

      Google’s cloud storage also offers HIPAA compliance via its Google Workspace suite, but has the same issue as OneDrive. Although Google Drive has always had encryption, it doesn’t offer client-side encryption and it scans every file you upload to it for viruses and copyrighted content. So, although it technically could be considered HIPAA compliant, we still wouldn’t recommend it for storing PHI.

      3. Dropbox Business

      dropbox web interface
      Dropbox has had several data breaches, which raises some red flags.

      Following the same pattern as the previous two (though to a lesser degree) is Dropbox Business. It’s willing to sign a BAA with healthcare providers, but doesn’t offer zero-knowledge encryption. Learn more in our ‘Is Dropbox HIPAA-compliant‘ guide.

      While it’s not in the marketing business like Microsoft and Google are, it’s been in hot water before for numerous data leaks, including one from 2018 where it willingly gave user data to a third party.

      Final Thoughts

      That’s it for our countdown of the best HIPAA-compliant cloud storage services. We hope you found it useful. came out on top, offering zero-knowledge encryption and unlimited storage at a bargain-bin price. 

      Do you agree with our list? What’s your favorite HIPAA-compliant cloud storage? Would you put your trust in a service that’s not zero knowledge? Let us know in the comments below. As always, thank you for reading.


      • A HIPAA-compliant cloud infrastructure refers to a cloud service that fulfils the requirements set up in HIPAA rules. This includes signing a business associate agreement (BAA), end-to-end data encryption and strict access control and oversight over every data access attempt.

      • Strictly speaking, it is, as it offers a BAA and can be used in a HIPAA-compliant manner. However, we wouldn’t trust Google to keep any sort of information private, let alone sensitive PHI.

      • Yes, Box is HIPAA-compliant and offers zero-knowledge encryption for all data on its more expensive plans.

      • Yes, Backblaze is one of the best HIPAA cloud backup services and lets you sign a BAA. There’s a snag with its implementation of zero-knowledge encryption, but we trust it to keep protected health information (PHI) encrypted and secure.

      ↑ Top