A small dermatology practice in New England thought they were covered. They'd signed up for a popular cloud storage service, uploaded thousands of patient records, and moved on. No Business Associate Agreement. No encryption verification. No access controls beyond a shared password on a sticky note. When a former employee accessed those files six months after being terminated, over 9,000 patients had their PHI exposed — and OCR came knocking.

I've seen this exact scenario play out more times than I can count. Organizations assume that using HIPAA compliant online storage is as simple as picking a big-name vendor and dragging files into a folder. It's not. Not even close.

This post breaks down what actually makes online storage HIPAA compliant, where most organizations fail, and the specific steps you need to take before your next file upload.

What Makes Online Storage HIPAA Compliant?

Let's cut to it. No cloud storage product is "HIPAA compliant" out of the box. Compliance is not a product feature — it's an implementation outcome. A vendor can offer tools that enable compliance, but your organization has to configure and use those tools correctly.

Here's what actually has to be in place:

  • A signed Business Associate Agreement (BAA). If your storage vendor can access, store, or transmit ePHI on your behalf, they are a business associate under HIPAA. No BAA, no compliance. Period. HHS makes this explicitly clear in the Business Associate guidance on HHS.gov.
  • Encryption at rest and in transit. The HIPAA Security Rule requires covered entities and business associates to implement encryption mechanisms that protect ePHI. AES-256 encryption at rest and TLS 1.2+ in transit are the current benchmarks.
  • Access controls and audit logs. Every person who touches ePHI in your storage environment needs a unique login. You need role-based access. You need automatic logoff. And you need audit trails that show who accessed what and when.
  • A documented risk assessment. OCR does not care what vendor you chose if you cannot produce a risk assessment that evaluated that vendor's security posture. It's the single most-cited deficiency in enforcement actions.

The BAA Gap That Costs Organizations Millions

In my experience, the number one failure point is the Business Associate Agreement — or rather, the absence of one. Organizations upload PHI to cloud storage platforms without ever executing a BAA. Sometimes they don't even know they need one.

OCR doesn't treat this as a technicality. In 2018, Fresenius Medical Care North America paid $3.5 million to settle multiple HIPAA violations, including failures related to ePHI stored on devices and systems without proper safeguards. The lesson: storing ePHI anywhere — cloud, local, or hybrid — without the right agreements and controls is a liability.

If your vendor refuses to sign a BAA, you cannot use that service for PHI. Full stop. Walk away.

Encryption Isn't Optional — It's Your Best Defense

Here's what happens when encryption is missing: a breach that might have been a non-reportable security incident becomes a full-blown notification event. Under the Breach Notification Rule, if ePHI is encrypted consistent with NIST standards, an unauthorized access may not constitute a reportable breach. That's a massive difference.

Your HIPAA compliant online storage setup must encrypt data both at rest (sitting on the server) and in transit (moving between your device and the cloud). Most reputable vendors offer this. But "offer" and "enabled by default" are two different things.

I've audited organizations where encryption was available on their storage platform but had never been turned on. That's not the vendor's fault — that's a configuration failure on the covered entity's side.

What Encryption Standards Should You Look For?

NIST Special Publication 800-111 covers storage encryption. For data in transit, look for TLS 1.2 or higher. AES-256 is the gold standard for data at rest. If your vendor can't tell you exactly what encryption standards they use, that's a red flag.

Remote Workers Make Cloud Storage Riskier

The shift to remote and hybrid work has made HIPAA compliant online storage more critical — and more complicated. Your workforce is now accessing ePHI from home networks, personal devices, and coffee shop Wi-Fi.

Every one of those access points is a potential breach vector.

If your staff accesses cloud-stored PHI from a personal laptop without endpoint protection, your BAA and server-side encryption won't save you. The Security Rule requires you to safeguard ePHI across its entire lifecycle, including at the endpoint.

This is exactly why I recommend organizations invest in targeted workforce education. Our HIPAA training for remote healthcare workers covers the specific risks that come with accessing ePHI outside a controlled office environment. And for deeper guidance on home-based access, our Working from Home & PHI course walks through practical safeguards your team can implement immediately.

Mobile Devices: The Blind Spot in Your Storage Security

Here's one that catches organizations off guard: staff syncing cloud storage folders to their personal phones. That ePHI is now sitting on an unmanaged, unencrypted mobile device. If that phone is lost or stolen, you have a breach.

Your policies need to address mobile device management explicitly. Disable automatic syncing of PHI folders to unauthorized devices. Require passcodes, remote wipe capabilities, and app-level encryption on any mobile device that touches ePHI.

Our Mobile Devices & PHI training module gives your workforce the specific knowledge they need to handle ePHI on phones and tablets without creating risk.

How to Evaluate a Cloud Storage Vendor for HIPAA

When I help organizations choose a storage vendor, I walk through a specific checklist. Here's the condensed version:

  • Will they sign a BAA? If not, they're disqualified.
  • Do they provide encryption at rest and in transit? Get it in writing.
  • Do they support role-based access controls? You need to restrict access by role, not just by login.
  • Do they offer audit logging? You must be able to track access to ePHI.
  • Where are their data centers? Offshore storage may create additional regulatory complexity.
  • What's their breach notification process? Your BAA should spell out how quickly they notify you of a security incident.
  • Have they completed a SOC 2 Type II audit? This isn't a HIPAA requirement, but it demonstrates mature security practices.

Document every answer. This documentation becomes part of your risk assessment and proves due diligence if OCR investigates.

What Happens If Your Online Storage Isn't Compliant?

OCR's enforcement actions make the consequences clear. Penalties for HIPAA violations range from $137 per violation up to nearly $2.2 million per violation category per year, based on the penalty tiers defined in 42 U.S.C. § 1320d-5. And those are just civil penalties — state attorneys general can pile on, and criminal referrals happen in egregious cases.

Beyond fines, there's the corrective action plan. OCR can mandate years of monitoring, require you to overhaul your entire security infrastructure, and demand regular compliance reports. The operational disruption alone can cripple a small practice.

Can You Use Google Drive or Dropbox for PHI?

This is the question I get asked most. The answer: it depends entirely on your configuration and agreement. Some major vendors — including Google Workspace and Dropbox Business — will sign BAAs for their enterprise tiers. But signing the BAA is just step one. You still need to configure the platform correctly, train your workforce, restrict sharing settings, enable encryption, and conduct a risk assessment that includes the platform.

Consumer-grade versions of these products — the ones you sign up for with a personal email — are never appropriate for PHI. No BAA is available, and the security controls are insufficient.

Your Compliance Checklist for Cloud Storage

Before you store a single byte of ePHI in the cloud, confirm the following:

  • BAA is executed and stored with your compliance documentation.
  • Encryption is verified at rest and in transit.
  • Unique user credentials are assigned to every workforce member.
  • Access is restricted based on role and minimum necessary standard.
  • Audit logs are enabled and reviewed regularly.
  • Mobile device sync policies are defined and enforced.
  • Your risk assessment includes the cloud storage environment.
  • Workforce training covers cloud storage use and ePHI handling.

Skip any one of these, and your "compliant" storage isn't actually compliant.

Storage Is a Tool — Compliance Is a Process

No vendor can hand you HIPAA compliance in a subscription plan. HIPAA compliant online storage requires your organization to do the work: sign the agreements, configure the settings, train your people, and document everything. The technology enables it. You enforce it.

If your staff doesn't understand how to handle ePHI in a cloud environment, the best encryption in the world won't protect you from a workforce-caused breach. Start with the right training, build the right policies, and choose the right vendors — in that order.

Explore our full HIPAA training catalog to find the courses your workforce needs right now.