The Best HIPAA-Compliant Cloud Storage in 2021: Storing Medical Data

HIPAA compliance is a must for healthcare providers operating in the United States, and storing patient data in the cloud requires special considerations. That’s why you need to make sure you’re using the best HIPAA-compliant cloud storage available. Keep reading for our full list, as well as tips on what to look for in a cloud storage service.

Aleksandar Kochovski
By Aleksandar Kochovski (Editor)
— Last Updated: 2021-09-01T12:42:25+00:00

Healthcare workers spend a lot of time handling sensitive patient data. However, storing that data locally on physical computers isn’t always the smartest choice, especially with the onslaught of ransomware attacks that can cripple a healthcare institution. If you’re a healthcare professional, backing up your organization’s data to a HIPAA-compliant cloud storage service is a must.

HIPAA (or the Health Insurance Portability and Accountability Act of 1996) is a law that regulates how healthcare organizations handle their patients’ data, ensuring doctor-patient confidentiality. However, cloud services very rarely offer the level of security and privacy needed to keep such sensitive data safe.

Key Takeaways:

  • The increased use of cloud computing in healthcare means there is a rising need for HIPAA-compliant cloud storage services, but finding the right one can be tricky.
  • Sync.com is the best HIPAA-compliant cloud service, offering a triple threat of zero-knowledge encryption, access control and a low price point.
  • Google Drive, OneDrive and Dropbox all technically offer HIPAA compliance, though their history of mishandling user data means you’d be wise to stay away from them.

In this article, we’ll list several HIPAA-compliant cloud storage services and explain what it takes to comply with HIPAA. Our top pick is the ultra-secure Sync.com for Teams, which offers zero-knowledge encryption and advanced user management features. We’ll also shed light on a few cloud services to avoid, so be sure to stick around.

  • A HIPAA-compliant cloud infrastructure refers to a cloud service that fulfils the requirements set up in HIPAA rules. This includes signing a business associate agreement (BAA), end-to-end data encryption and strict access control and oversight over every data access attempt.

  • Strictly speaking, it is, as it offers a BAA and can be used in a HIPAA-compliant manner. However, we wouldn’t trust Google to keep any sort of information private, let alone sensitive PHI.

  • Yes, Box is HIPAA-compliant and offers zero-knowledge encryption for all data on its more expensive plans.

  • Yes, Backblaze is one of the best HIPAA cloud backup services and lets you sign a BAA. There’s a snag with its implementation of zero-knowledge encryption, but we trust it to keep protected health information (PHI) encrypted and secure.

The Top VPNs for HIPAA

What Makes the Best HIPAA-Compliant Cloud Storage

HIPAA compliance requires quite a few technical safeguards against data breaches. While we usually hold encryption to be the number-one deciding cloud security factor, there are so many other things to look out for when determining HIPAA compliance, like data access management and implementing the correct policies and procedures. Here are the five best HIPAA cloud storage services.

  1. Sync.com for Teams — Secure and affordable HIPAA-compliant cloud
  2. Egnyte Connect — Granular user management and data access controls
  3. Box Business — Unlimited secure storage
  4. IDrive for Business — Zero-knowledge online backup service with cloud storage functionality
  5. Backblaze — Fast and affordable cloud backup service

What Is Protected Health Information (PHI)?

The term “protected health information,” or PHI, refers to patient data that’s covered by HIPAA. This could include your medical history or prescriptions, as well as personally identifying data, like your ethnicity, gender and birthday.

A HIPAA-covered entity must make sure that this data isn’t disclosed to anyone other than the patient, except for when it needs to be disclosed to provide patient care. In electronic form, this data is referred to as “electronic protected health information,” or EPHI.

HIPAA-covered entities and business associates must follow strict rules regarding the handling of this data. A storage service must provide encryption and protection for PHI while it’s in transit, as well as when it’s on its servers (known as end-to-end encryption). It must also provide strict control and overview of who can access it and provide detailed logs of access attempts.

What Is a Business Associate Agreement (BAA)?

No matter what its marketing team states, a cloud storage service can’t just call itself HIPAA compliant. HIPAA compliance relies on the proper implementation of the cloud service by its user, but the cloud service must provide the means to do so.

Among the various HIPAA rules is a provision that states that anyone handling patient information and medical data must be a business associate of the healthcare organization. To that end, the cloud operator and the healthcare organization must sign a business associate agreement (or BAA) that regulates their relationship.

The 5 Best HIPAA Cloud Storage Services

These five services provide the best provisions for HIPAA compliance, allowing you to fully embrace every HIPAA rule. Let’s dive into our number-one choice: Sync.com for Teams.

1. Sync.com for Teams

sync.com website interface
Sync.com for Teams is the best HIPAA-compliant cloud storage service.

More details about Sync.com for Teams:

  • Pricing: $5 per user per month for 1TB storage
  • Provider website: www.sync.com

Pros:

  • Zero-knowledge encryption
  • Administrator controls
  • Offers BAAs

Cons:

  • Slow speeds

Sync.com is our favorite cloud storage service overall, and its business version — Sync.com for Teams — tops this list too. We’ve long touted its outstanding security, driven by zero-knowledge encryption. It’s based in Canada, which means that it’s beholden to PIPEDA, a Canadian law protecting data privacy that includes health information.

The service offers control over user permissions, which lets you control who is able to see PHI. It also gives administrators oversight over user activity, including activity logs.

To add to all of this, Sync.com offers some of the best deals in cloud storage, and even offers plans with unlimited cloud storage. You can read our full Sync.com for Teams review for more details or sign up for its 5GB free plan.

Standard
  • : Price per user. Users: 2+
  • : 1000 GB
Unlimited
  • : Price per user. Users: 2+
  • : Unlimited GB
Enterprise
  • : Users: 2+
  • : Unlimited GB

2. Egnyte Connect

egnyte user management
Egnyte Connect is a secure, high-end business cloud storage, with a matching price point.

More details about Egnyte Connect:

  • Pricing: 30-day free trial; $20 per user per month for 1TB storage
  • Provider website: www.egnyte.com

Pros:

  • Zero-knowledge
  • Very deep access controls

Cons:

  • Client-side encryption only on most expensive plan
  • Pricey

The second place on this list goes to Egnyte Connect. It’s a stellar business cloud storage solution, and it offers excellent security too. Egnyte Connect has user-management features galore, and it even has intelligent data lifecycle management features.

All of Egnyte’s plans are HIPAA compliant, although only its Enterprise plan carries zero-knowledge encryption. Still, that doesn’t mean Egnyte isn’t secure. In fact, it’s one of the most secure EFSS services we’ve tested. It also offers single sign-on (SSO) to make user management easier.

Egnyte isn’t the cheapest, with its 1TB plan being twice as expensive as Sync.com’s. Because of this and the lack of client-side encryption on cheaper plans, Egnyte only manages to hit second place on this list. Read our full Egnyte review for more, or take advantage of its 30-day free trial.

Team
  • : 1 to 10 users, price per user; 1TB of online storage. Read on for more
  • : 5000 GB
Business
  • : 10 - 100 users, price per user; 1TB + 10GB per employee. Read on for more
  • : 10000 GB
Enterprise
  • : 50+ users, 50GB per employee. Read on for more
  • : 1000 GB

3. Box Business

best cloud storage for teams box
Box Business offers a few useful features for HIPAA compliance, but client-side encryption is a separate purchase.

More details about Box Business:

  • Pricing: 14-day free trial; $25 per user per month for unlimited storage
  • Provider website: www.box.com

Pros:

  • Client-side encryption
  • Two-factor authentication for collaborators
  • Unlimited storage

Cons:

  • Client-side encryption is a paid add-on
  • Could be cheaper

Coming in at number three is Box Business. This excellent business cloud service provider is another juggernaut in the enterprise cloud storage sphere and, like the other services on this list, is very secure. Unfortunately, client-side encryption requires an additional purchase, and you can’t even get it on the cheapest plan.

That said, Box is HIPAA compliant and offers advanced user control and activity oversight. Its privacy policy states that it collects quite a large amount of data from its users, but fortunately, it’s nothing that could compromise the privacy of patients’ healthcare data. It also has two-factor authentication for people outside the organization.

Box Business isn’t cheap, though all of its plans come with unlimited storage to make up for it. Despite the price, it’s still a solid service, deserving of the third spot. Check out our Box Business review or sign up for a 14-day free trial.

4. IDrive for Business

IDrive desktop app backup tab
IDrive for Business is a service that blends online backup and cloud storage feature

More details about IDrive:

  • Pricing: 5GB free; $99.50 per year for 5TB, 5 users and 5 devices
  • Provider website: www.idrive.com

Pros:

  • Zero-knowledge
  • Inexpensive

Cons:

  • Cloud storage isn’t its primary purpose

IDrive for Business isn’t a cloud storage service per se, focusing on online backup instead. It comes with cloud storage and sync capabilities, and it can be used in a HIPAA-compliant manner, offering a BAA for interested parties.

When it comes to backup, IDrive offers a ton of functionality, and it also offers user and access management features for the purposes of HIPAA. When it comes to PHI privacy, we have no complaints, as it comes with zero-knowledge encryption out of the box.

In terms of pricing, IDrive is relatively cheap for the storage it offers, although Sync.com still provides more value with its unlimited plan. If you need its backup capabilities, IDrive is a worthy service, but because cloud storage is its secondary function, we’ve relegated it to fourth place. Read our review of IDrive for Business for more details, or sign up for a 5GB free plan.

250GB Plan
  • : First year is discounted
  • : 250 GB
500GB Plan
  • : First year is discounted
  • : 500 GB
1.25TB Plan
  • : First year is discounted
  • : 1250 GB
2.5TB Plan
  • : First year is discounted
  • : 2500 GB
5TB Plan
  • : First year is discounted
  • : 5000 GB
12.5TB Plan
  • : First year is discounted
  • : 12500 GB

5. Backblaze

backblaze web interface
Backblaze is a backup solution that makes it easy to comply with HIPAA rules.

More details about Backblaze:

  • Pricing: 15-day free trial; $60 per license per year for unlimited storage
  • Provider website: www.backblaze.com

Pros:

  • Very cheap
  • Unlimited storage

Cons:

  • Flawed zero-knowledge encryption

Backblaze is another cloud backup service, second only to IDrive in the backup world. Backblaze is HIPAA compliant and lets you sign a BAA, and it also offers all the necessary access controls. Unfortunately, it offers no cloud storage functionality, so it’s only good for backing up PHI.

Backblaze offers zero-knowledge encryption, but its implementation is a little iffy. It essentially forces you to reveal your encryption key every time you want to restore data, which isn’t ideal. The company claims that it deletes the key immediately after decryption, and we’ll give it the benefit of the doubt here.

Backblaze offers relatively affordable unlimited storage and charges you on a per-device basis. You can read our full Backblaze review for all the details, or start a 15-day free trial.

Other Services That Offer a Business Associate Agreement 

Although some cloud services can be used in compliance with HIPAA and let you sign a BAA with them, we still do not recommend using them if they don’t offer zero-knowledge encryption. 

Zero-knowledge encryption (or client-side encryption) means that your organization is the only one with access to its encryption keys.

If a service is able to decrypt your files, then it can access them despite a signed BAA. This includes disclosing user data to law enforcement under a court subpoena, which can include your patients’ PHI. The following services let you sign a BAA, but don’t offer client-side encryption.

1. Microsoft OneDrive

microsoft onedrive features
Microsoft OneDrive can be HIPAA-compliant, but doesn’t offer client-side encryption.

OneDrive offers HIPAA compliance to businesses and lets you sign a BAA, but it’s not without its issues. It only recently adopted encryption for its cloud storage (an absolutely basic security feature), which is telling of Microsoft’s attitude toward privacy. Not only that, but the service is not zero-knowledge and Microsoft is known for harvesting user data, much like the next service on this list.

2. Google Drive

google drive web interface
Google Drive is another HIPAA-compliant cloud service that doesn’t care too much about user privacy.

Google’s cloud storage also offers HIPAA compliance via its Google Workspace suite, but has the same issue as OneDrive. Although Google Drive has always had encryption, it doesn’t offer client-side encryption and it scans every file you upload to it for viruses and copyrighted content. So, although it technically could be considered HIPAA compliant, we still wouldn’t recommend it for storing PHI.

3. Dropbox Business

dropbox web interface
Dropbox has had several data breaches, which raises some red flags.

Following the same pattern as the previous two (though to a lesser degree) is Dropbox Business. It’s willing to sign a BAA with healthcare providers, but doesn’t offer zero-knowledge encryption. While it’s not in the marketing business like Microsoft and Google are, it’s been in hot water before for numerous data leaks, including one from 2018 where it willingly gave user data to a third party.

Final Thoughts

That’s it for our countdown of the best HIPAA-compliant cloud storage services. We hope you found it useful. Sync.com came out on top, offering zero-knowledge encryption and unlimited storage at a bargain-bin price. 

Do you agree with our list? What’s your favorite HIPAA-compliant cloud storage? Would you put your trust in a service that’s not zero knowledge? Let us know in the comments below. As always, thank you for reading.