Someone on your staff uploaded a spreadsheet of patient names and insurance IDs to a shared Google Drive folder. Or your billing coordinator keeps a Dropbox folder of scanned explanation of benefits documents. Or you migrated your backup system to AWS three years ago and nobody ever checked whether Amazon signed a BAA. If any of these scenarios sound familiar, you have a HIPAA compliance problem that needs to be addressed immediately — because storing PHI in a cloud service without a Business Associate Agreement is a violation of 45 CFR 164.502(e), and the cloud provider’s standard terms of service do not satisfy HIPAA requirements.
Why Cloud Providers Are Business Associates
OCR addressed this directly in guidance published in 2016: a cloud service provider (CSP) that maintains ePHI on behalf of a covered entity is a business associate, even if the CSP does not actually view or interact with the data. The act of storing, maintaining, or transmitting ePHI is sufficient. This applies regardless of whether the data is encrypted by the covered entity before it reaches the cloud — the CSP still maintains it.
This means that every cloud service where PHI resides requires a BAA: cloud storage (Google Drive, Dropbox, OneDrive, Box), cloud infrastructure (AWS, Azure, Google Cloud Platform), cloud-based email (Gmail, Microsoft 365), cloud backup services, and cloud-based productivity tools if they are used to process PHI.
The Good News: Major Cloud Providers Will Sign BAAs
The major cloud platforms all offer HIPAA-eligible configurations and BAAs:
- Amazon Web Services (AWS): Offers a BAA through their AWS Artifact portal. You must configure services according to their HIPAA-eligible service list and shared responsibility model.
- Microsoft Azure / Microsoft 365: Provides a BAA as part of certain enterprise and business-tier subscriptions. Not all service tiers include BAA eligibility — verify your specific plan.
- Google Cloud Platform / Google Workspace: Offers a BAA for Google Workspace (Business and Enterprise tiers) and Google Cloud. The BAA must be explicitly accepted in the admin console.
- Dropbox Business: Offers a BAA for Dropbox Business and Dropbox Enterprise plans. The free consumer version does not support a BAA.
- Box: Provides a BAA for Box Business and Enterprise plans with HIPAA compliance configurations.
The critical point: having an account with one of these providers does not mean you have a BAA in place. The BAA is a separate agreement that must be explicitly executed or accepted. Many practices assume their existing subscription includes HIPAA compliance by default — it does not.
Consumer-Tier Services Cannot Be Made Compliant
Free or consumer-tier cloud services generally do not offer BAAs and cannot be used to store PHI. This includes personal Gmail accounts, free Dropbox accounts, consumer Google Drive, iCloud (Apple does not offer a BAA for iCloud), and most free file-sharing services. If staff are using personal cloud accounts to store or share patient information, this must be stopped immediately and addressed as a potential breach.
Shadow IT — the use of unauthorized cloud services by staff without the knowledge of practice management — is one of the most common sources of cloud-related HIPAA violations. Your security risk assessment should specifically evaluate whether staff are using unapproved cloud services for PHI.
Configuration Requirements Beyond the BAA
Signing a BAA with a cloud provider is necessary but not sufficient. Under the shared responsibility model, the CSP secures the infrastructure, but the covered entity is responsible for configuring and using the service in a compliant manner. Key configuration requirements include:
Encryption
ePHI must be encrypted both at rest and in transit. Most major cloud providers offer encryption by default, but you must verify that encryption is enabled and that you understand who manages the encryption keys. If the CSP manages the keys, they have the ability to decrypt the data — which reinforces why the BAA is essential.
Access Controls
Implement role-based access controls so that only authorized workforce members can access PHI stored in the cloud. Enable multi-factor authentication for all accounts that can access ePHI. Use the principle of least privilege — do not grant broader access than each role requires.
Audit Logging
Enable and monitor audit logs for all access to ePHI in the cloud environment. Cloud providers typically offer logging capabilities (AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs) that must be configured and reviewed regularly as part of your ongoing risk management.
Data Backup and Recovery
Ensure that cloud-stored ePHI is backed up according to your data backup and recovery plan. Test restoration procedures periodically. If backups are stored in a different cloud region or service, that additional storage location must also be covered by a BAA.
Remediation: What to Do If PHI Is Already in the Cloud Without a BAA
If you discover that PHI has been stored in a cloud service without a BAA, take these steps:
- Stop new uploads immediately. Prevent any additional PHI from being placed in the non-compliant service.
- Determine whether a BAA is available. If the cloud provider offers a BAA for your service tier, execute it immediately. If they do not, you need to migrate the data.
- Conduct a breach risk assessment. Evaluate whether the PHI was accessed by unauthorized persons during the period without a BAA. Use the four-factor test under 45 CFR 164.402 to determine whether notification is required.
- Migrate data if necessary. If the service does not support a BAA, migrate all PHI to a compliant platform. Ensure the data is securely deleted from the non-compliant service after migration.
- Document the gap and remediation. Create a written record of the discovery, risk assessment, and all corrective actions. This documentation is essential for demonstrating good faith if OCR investigates.
- Update your policies. Revise your HIPAA policies to explicitly list approved cloud services and prohibit the use of non-approved services for PHI. Train staff on the updated requirements.
The Shared Responsibility Model in Practice
Understanding shared responsibility is essential for cloud compliance. The cloud provider is responsible for the security of the cloud (physical infrastructure, network, hypervisor). Your practice is responsible for security in the cloud (data, access controls, configuration, encryption key management, user authentication). A BAA does not transfer all security obligations to the provider — it establishes a framework for both parties’ responsibilities.
This means that even with a BAA in place, a misconfigured S3 bucket, an overly permissive sharing link, or a compromised user account is your practice’s liability. Regular security reviews of your cloud configuration should be part of your annual risk assessment.
Frequently Asked Questions
If I encrypt PHI before uploading it to the cloud, do I still need a BAA?
Yes. OCR has clarified that a cloud service provider that maintains ePHI is a business associate even if the data is encrypted by the covered entity and the CSP does not have the decryption key. The act of maintaining the data makes them a business associate. Encryption is a critical safeguard, but it does not eliminate the BAA requirement.
Can I use iCloud to store patient records if I enable encryption?
No. Apple does not currently offer a BAA for iCloud. Without a BAA, you cannot store PHI in iCloud regardless of encryption settings. If staff are using iCloud for patient-related documents, photos, or communications, this must be discontinued and the data migrated to a HIPAA-eligible service.
Is the cloud provider liable if a breach occurs on their infrastructure?
Under HITECH, business associates (including CSPs) are directly liable for HIPAA violations. If the breach resulted from the CSP’s failure to maintain required safeguards, they face their own penalties. However, your practice retains notification obligations and may face liability if you failed to conduct due diligence, configure the service properly, or maintain an adequate BAA. Liability often falls on both parties. Review your BAA’s indemnification clauses and consider cyber liability insurance.
What about cloud-based EHR systems — does my EHR vendor’s BAA cover the underlying cloud infrastructure?
Your BAA with the EHR vendor covers their handling of PHI, including their use of cloud infrastructure. The EHR vendor should have their own BAA with their cloud provider (a subcontractor BAA). However, you should verify this as part of your vendor due diligence. If your EHR vendor stores data in the cloud, ask them to confirm that they have a BAA with their infrastructure provider and that the data is stored in HIPAA-eligible services.
Part of our guide to
HIPAA ComplianceSee how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.
Ready to simplify compliance?
GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.
Start Free TrialRelated Articles
Understanding Business Associate Agreements Under HIPAA
Everything medical practices need to know about HIPAA Business Associate Agreements — who qualifies as a BA, what the agreement must include, and how to manage your vendor relationships.
HIPAASecurity Risk Assessment: A Step-by-Step Guide for Medical Practices
Learn how to conduct a thorough HIPAA Security Risk Assessment for your medical practice with this detailed step-by-step walkthrough covering scope, threats, vulnerabilities, and remediation.