Cloud storage for protected health information (PHI) is governed by 45 CFR § 164.312 — the Technical Safeguards standard of the HIPAA Security Rule — which requires covered entities and business associates to implement access controls, audit controls, integrity mechanisms, authentication procedures, and transmission security for all systems containing electronic PHI (ePHI).
A cloud storage provider becomes a business associate the moment it stores, processes, or transmits ePHI on behalf of a covered entity — even if the data is encrypted and the provider cannot read it (HHS Guidance on HIPAA and Cloud Computing, October 2016). A Business Associate Agreement (BAA) under 45 CFR § 164.504(e) is therefore mandatory before any PHI is stored in any cloud environment. Using a standard consumer account — even with strong encryption — without an executed BAA is a HIPAA violation.
A cloud service provider (CSP) that creates, receives, maintains, or transmits ePHI on behalf of a covered entity or business associate is a business associate under HIPAA, regardless of whether it can actually view or access the ePHI. A BAA must be in place before ePHI is stored in any cloud environment. The CSP's inability to decrypt the data does not eliminate the BAA requirement.
Side-by-Side Comparison
| Feature / Criterion | AWS | Microsoft Azure | Google Cloud | Box | Dropbox Business |
|---|---|---|---|---|---|
| BAA Available | ✓ Yes | ✓ Yes | ✓ Yes | Business+ only | Business+ only |
| Encryption at Rest | AES-256 (S3, EBS) | AES-256 (all services) | AES-256 | AES-256 | AES-256 |
| Encryption in Transit | TLS 1.2+ | TLS 1.2/1.3 | TLS 1.2/1.3 | TLS 1.2+, PFS | TLS 1.2+ |
| Audit Logging | AWS CloudTrail | Azure Monitor + Sentinel | Cloud Audit Logs | Box Admin Console | Team Activity Log |
| Access Control Model | IAM + SCPs | RBAC + Entra ID | IAM + VPC SC | RBAC + Shared Links Control | Team Folders + Permissions |
| HIPAA-Eligible Services | 170+ services | Broad coverage | Broad coverage | Core storage/collab | Core storage/collab |
| HITRUST CSF Certified | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | In progress |
| FedRAMP Authorized | High | High | High | Moderate | No |
| FHIR-Compliant Services | AWS HealthLake | Azure Health Data Services | Cloud Healthcare API | No native FHIR | No native FHIR |
| Customer-Managed Keys | ✓ AWS KMS | ✓ Azure Key Vault | ✓ Cloud KMS | Box KeySafe (addon) | Provider-managed only |
| Data Residency Controls | ✓ Region-level | ✓ Region + Sovereign | ✓ Region-level | US/EU zones | US/EU zones |
| Shared Responsibility Model | Customer config required | Customer config required | Customer config required | Lower config burden | Lower config burden |
| Best Fit for Healthcare | Enterprise / Dev teams | Enterprise / Health systems | Enterprise / Analytics | Mid-market / Collaboration | Small practices |
Provider Deep Dives
AWS offers the broadest HIPAA coverage of any cloud provider, with over 170 HIPAA-eligible services covered under its standard Business Associate Addendum (BAA). For healthcare organizations, the core HIPAA-eligible services include Amazon S3 (storage), Amazon RDS (relational database), AWS Lambda (serverless compute), Amazon ECS/EKS (containers), and AWS HealthLake (FHIR-native data store).
AWS CloudTrail satisfies the Audit Controls requirement of 45 CFR § 164.312(b) by providing immutable, tamper-evident logs of every API call made to any AWS service. CloudTrail logs must be enabled explicitly per account and region — they are not on by default for all services. Healthcare organizations using AWS must implement an infrastructure-as-code policy (AWS Config, AWS Security Hub) to ensure no HIPAA-eligible services are deployed without proper logging and access controls.
The AWS Shared Responsibility Model places security "of the cloud" (physical infrastructure, hypervisor) on AWS and security "in the cloud" (data classification, access control configuration, encryption key management) on the customer. Misconfigured S3 bucket permissions have been the cause of numerous healthcare data breaches — a covered entity cannot claim AWS's HIPAA compliance as its own without correctly configuring all services.
Microsoft Azure is the leading cloud platform for enterprise health systems, driven by deep EHR integration with Epic, Cerner (Oracle Health), and Microsoft's own healthcare data platform. Azure provides a comprehensive HIPAA/HITECH BAA that covers all Azure services as a single agreement — a significant administrative advantage over AWS's per-service model.
Azure Health Data Services provides a fully managed FHIR R4-compliant data store, DICOM imaging support, and MedTech Service for IoT/medical device data ingestion. All data is encrypted with AES-256 at rest and TLS 1.2/1.3 in transit. Microsoft Entra ID (formerly Azure Active Directory) provides enterprise identity management with multi-factor authentication, conditional access policies, and privileged identity management — directly satisfying the 2024 HIPAA Security Rule Final Rule requirement for MFA on all remote ePHI access under § 164.312(d).
For audit controls (§ 164.312(b)), Azure Monitor combined with Microsoft Sentinel provides SIEM-level log aggregation, anomaly detection, and pre-built HIPAA compliance workbooks for OCR audit documentation. Azure Policy can enforce HIPAA compliance guardrails across all subscriptions in a management group hierarchy.
Google Cloud provides a HIPAA BAA covering its core infrastructure services and offers the Google Cloud Healthcare API — a managed service for storing and accessing healthcare data in FHIR R4, HL7v2, and DICOM formats. Google's HIPAA implementation guide requires configuring organization-level policies, VPC Service Controls for network perimeter security, and Cloud Key Management Service (Cloud KMS) for customer-managed encryption keys.
Google Cloud's BigQuery is widely used for healthcare analytics workloads on de-identified data. With proper PHI classification and VPC Service Controls, HIPAA-covered analytics pipelines can run at scale. Google Cloud Audit Logs provide Data Access logs, Admin Activity logs, and System Event logs — all of which satisfy the § 164.312(b) Audit Controls requirement when properly configured and retained.
Google Workspace (formerly G Suite) requires a separate BAA and healthcare-specific configuration. Standard Gmail and Google Drive consumer accounts are not HIPAA-compliant — healthcare organizations must use Google Workspace for Healthcare with an executed BAA and appropriate data handling settings enabled through the Admin Console.
Box provides HIPAA-compliant cloud content management with BAA available on Business and Enterprise plans. Unlike infrastructure cloud providers, Box offers a purpose-built content collaboration experience with lower configuration overhead — making it well-suited for mid-market healthcare organizations that need secure document sharing, clinical collaboration portals, and patient-facing file exchange without maintaining cloud infrastructure expertise.
Box Shield (enterprise add-on) adds AI-powered threat detection, anomalous download alerting, and automated PHI classification and labeling. Box's Admin Console provides detailed access logs for all file operations, satisfying § 164.312(b). Box KeySafe allows organizations to maintain their own encryption keys outside of Box's infrastructure, satisfying strict customer-managed key requirements under § 164.312(a)(2)(iv).
Box is HITRUST CSF certified and maintains SOC 2 Type II, ISO 27001, and FedRAMP Moderate authorizations. It is not suitable for FHIR-native healthcare data workloads or large-scale analytics, but excels in clinical document management, consent form workflows, and secure provider-patient file exchange.
Dropbox Business offers a HIPAA BAA on Business Plus and Advanced plans, making it an option for smaller healthcare practices and health-tech companies that rely heavily on Dropbox for file storage and sharing. All files are encrypted with AES-256 at rest and SSL/TLS in transit. Dropbox's administrative console provides team activity logs tracking file views, edits, shares, and deletions.
Dropbox lacks the enterprise security maturity of AWS, Azure, or Google Cloud. It does not offer customer-managed encryption keys, native FHIR support, or FedRAMP High authorization. For healthcare organizations with moderate PHI volume and straightforward file-sharing use cases, Dropbox Business with a BAA can satisfy the technical safeguard requirements of 45 CFR § 164.312 — provided that encryption, access controls, and audit review procedures are properly configured and documented.
Healthcare organizations using Dropbox should configure: (1) two-factor authentication for all accounts (§ 164.312(d)); (2) selective sync to prevent PHI from being cached on unmanaged devices; (3) remote wipe capability for lost or stolen devices; and (4) regular review of the team activity log to satisfy the information system activity review requirement of § 164.308(a)(1)(ii)(D).
The HIPAA Shared Responsibility Gap
The most important concept for healthcare organizations evaluating cloud storage is the Shared Responsibility Model. Every major cloud provider's HIPAA compliance only covers its own infrastructure — physical security, hypervisor isolation, and underlying network security. The covered entity remains responsible for:
- Correctly configuring access controls (identity management, permissions, public access blocks)
- Enabling and retaining audit logs for the required 6-year documentation period (§ 164.316(b)(2))
- Managing encryption keys and ensuring encryption is actually enabled (not just available)
- Implementing multi-factor authentication on all accounts with PHI access (§ 164.312(d))
- Conducting regular configuration audits to detect drift from compliant baselines
- Executing and maintaining a signed BAA before any PHI enters the cloud environment
A misconfigured Amazon S3 bucket — publicly readable without authentication — has been the cause of multiple OCR enforcement actions and multi-million dollar settlements. The fact that AWS offers a HIPAA BAA and compliant infrastructure provides zero protection if the covered entity enables public access to a bucket containing PHI. OCR does not accept "the cloud provider is HIPAA-certified" as a defense. The covered entity's own configuration is the liability.
Regulatory Summary: 45 CFR § 164.312 Technical Safeguard Mapping
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to authorized users or software programs. All five providers reviewed support role-based access controls. AWS IAM and Azure RBAC offer the most granular control surfaces for enterprise healthcare environments.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. All reviewed providers offer audit logging capabilities. AWS CloudTrail and Azure Monitor provide the most comprehensive and immutable audit records for enterprise deployments. Logs must be reviewed regularly under § 164.308(a)(1)(ii)(D) — enabling logging without reviewing it does not satisfy the standard.
Recommendation Matrix
- Enterprise Health System / IDN: Microsoft Azure (EHR integration, enterprise identity management, Sentinel SIEM) or AWS (broadest service coverage, HealthLake FHIR)
- Healthcare Analytics / AI Platform: Google Cloud (BigQuery, Healthcare API, Vertex AI) or AWS (SageMaker + HealthLake)
- Mid-Market Practice / Group Practice: Box for Healthcare (managed content platform, lower config overhead, HITRUST certified)
- Small Practice / Solo Provider: Dropbox Business Plus (simple, low-cost, BAA available) or Doxy.me + Google Workspace Healthcare
- Clinical Document Management: Box (native collaboration workflows, patient portal capabilities, Shield AI classification)
For a full list of verified HIPAA-compliant cloud storage and infrastructure tools, see the Cloud Storage category in the HipaaDirectory.com Listings.