How to Choose a HIPAA-Compliant Cloud Storage for Your Therapy Practice
If you store any patient-related files outside your EHR — scanned intake forms, insurance documents, referral letters, or backup copies of clinical notes — you're using cloud storage for PHI. And if that cloud storage doesn't have a signed Business Associate Agreement with you, you have a HIPAA violation.
Most solo therapists don't think of Google Drive or Dropbox as "healthcare vendors." But if patient data touches those services, HIPAA applies to them. This guide covers which cloud storage options are HIPAA compliant, what to look for, and how to set them up properly.
The BAA Requirement
The fundamental question isn't whether a cloud service is "secure." It's whether the provider will sign a Business Associate Agreement with you. Without a BAA, the vendor has no legal obligation to protect your patients' data under HIPAA — and you're in violation for storing PHI there.
Cloud Storage Options Compared
Google Drive (via Google Workspace)
BAA available: Yes — but ONLY on paid Google Workspace plans (Business Starter, Business Standard, Business Plus, Enterprise). Personal Google accounts (free Gmail/Drive) do not offer BAAs.
How to enable: Sign in to Google Workspace Admin Console → Account → Legal and compliance → Review and accept the BAA. This covers Drive, Gmail, Calendar, Meet, and other core services.
Encryption: AES-256 at rest, TLS in transit. Google manages the encryption keys by default, though Workspace Enterprise offers customer-managed encryption keys (CMEK).
Key considerations: Google's BAA covers Drive storage but excludes certain add-on services. Read the BAA carefully to know what's covered. The BAA also requires you to configure your Workspace account according to Google's HIPAA Implementation Guide.
Dropbox (Business plans)
BAA available: Yes — on Dropbox Business, Business Plus, and Enterprise plans. Dropbox Basic (free) and Plus (personal paid) do not offer BAAs.
How to enable: Contact Dropbox Business sales or enable via the admin console. The BAA is part of the Business Agreement.
Encryption: AES-256 at rest, TLS/SSL in transit. Dropbox splits files into blocks, each encrypted individually.
Key considerations: Dropbox Business includes admin controls, audit logs, remote wipe, and granular sharing permissions. The consumer version lacks these. If you're currently using personal Dropbox for anything involving patient data, you need to upgrade or migrate.
Microsoft OneDrive (via Microsoft 365)
BAA available: Yes — on Microsoft 365 Business Basic and above. A BAA is available through the Microsoft Trust Center and covers OneDrive, Outlook, Teams, SharePoint, and other 365 services.
Encryption: BitLocker (at rest), TLS 1.2+ (in transit). Microsoft offers Customer Key for organisations wanting to control their own encryption keys.
Key considerations: If you're already using Microsoft 365 for email (Outlook), adding OneDrive is seamless — same BAA covers both. The admin centre provides audit logs, access controls, and data loss prevention policies.
Apple iCloud
BAA available: No. Apple does not sign Business Associate Agreements for iCloud services. This means iCloud Drive, iCloud backup, and iCloud sync cannot be used to store PHI.
What this means: If your iPhone backs up to iCloud and your calendar, contacts, or notes contain patient information, that's a potential HIPAA issue. Disable iCloud backup for any app that contains PHI, or turn off iCloud backup entirely and use encrypted local backups instead.
Amazon S3 / AWS
BAA available: Yes — AWS offers a comprehensive BAA through the AWS Artifact portal. Covers S3, EC2, RDS, and many other services.
Key considerations: AWS is what most EHRs run on (including SimplePractice and TherapyNotes). For solo therapists, using AWS directly is unusual — it's a developer platform. But if you or your IT person have set up any custom infrastructure on AWS, a BAA is essential.
Quick Comparison
| Service | BAA Available | Plan Required | Encryption at Rest | Audit Logs | |---------|--------------|---------------|-------------------|------------| | Google Drive | Yes | Workspace (paid) | AES-256 | Yes | | Dropbox | Yes | Business (paid) | AES-256 | Yes | | OneDrive | Yes | Microsoft 365 | BitLocker | Yes | | iCloud | No | N/A | AES-128/256 | Limited | | AWS S3 | Yes | Any | AES-256 | Yes |
What to Do If You're Using Personal Cloud Storage
If you're currently using a personal (non-BAA) cloud account for anything involving patient data, here's your action plan:
Step 1: Audit. What patient-related files are in your personal cloud storage? Check Google Drive, Dropbox, iCloud, and any other sync service.
Step 2: Decide. Either upgrade to a business plan that offers a BAA, or migrate patient files to a compliant alternative.
Step 3: Migrate. Move patient files to the compliant service. Delete them from the non-compliant service (and empty the trash).
Step 4: Sign the BAA. Don't just upgrade — you must actually execute the BAA. Most services require you to explicitly opt in through an admin console.
Step 5: Document. Add the cloud storage provider to your BAA tracker with the date signed and review schedule.
Best Practices for Cloud Storage Security
Even with a BAA in place, you should:
- Enable two-factor authentication on your cloud storage account
- Use strong, unique passwords (password manager recommended)
- Review sharing settings — ensure no patient files are shared publicly or with unintended recipients
- Disable public link sharing as the default for your account
- Review connected apps — revoke access for any third-party apps you no longer use
- Enable audit logging and review it periodically
- Set up remote wipe capability for mobile devices
The Bottom Line
The rule is simple: if patient data touches a cloud service, that service needs a signed BAA. Personal/free plans almost never offer BAAs. Business plans almost always do.
The safest path for most solo therapists: use Google Workspace or Microsoft 365 for email AND cloud storage, sign one BAA that covers both services, and keep everything in one ecosystem.
Not sure which of your vendors need BAAs? Take the free HIPAA assessment — it checks your entire vendor setup in 25 minutes and identifies every gap.