Cloud storage is the easiest place for a medical practice to leak PHI. A staff member shares a folder “with anyone who has the link,” a former employee retains access, a personal Dropbox connects to corporate files — the patterns are predictable and the OCR enforcement actions are public.
The good news: all three of the major business cloud storage platforms — Microsoft SharePoint/OneDrive, Google Drive, and Box — can be HIPAA-compliant with the right configuration. The bad news: none of them are HIPAA-compliant by default, and the configuration choices that matter aren’t obvious from the marketing pages.
This guide compares the three for medical practices, covers what HIPAA actually requires of cloud storage, and gives a concrete recommendation framework based on what the practice already runs.
What HIPAA actually requires of cloud storage
The HIPAA Security Rule doesn’t name specific products. It defines what controls have to exist around PHI:
- Access controls (Technical Safeguard, 164.312(a)(1)) — only authorized users can access PHI
- Audit controls (164.312(b)) — you can produce a record of who accessed what
- Integrity controls (164.312(c)(1)) — PHI can’t be altered or destroyed without authorization
- Transmission security (164.312(e)(1)) — PHI is encrypted in transit
- Encryption at rest (164.312(a)(2)(iv)) — addressable, but in practice required for any cloud system
Plus, before any PHI touches the platform: a Business Associate Agreement (BAA) with the cloud vendor.
Each of the three platforms can satisfy all of these. The differences are in how easy they make it, what the licensing costs, and what defaults you have to override.
Quick comparison
| Feature | SharePoint / OneDrive (M365) | Google Drive (Workspace) | Box |
|---|---|---|---|
| BAA available | ✅ Free with Business Standard+ | ✅ Free with Business Standard+ | ✅ Included with Business+ tier |
| Required tier for HIPAA | Business Premium ($22/user/mo) | Business Plus ($18/user/mo) | Business ($20/user/mo) |
| Encryption at rest | ✅ AES-256, customer-managed keys (E5) | ✅ AES-256, customer-managed keys (Enterprise+) | ✅ AES-256, customer-managed keys (KeySafe add-on) |
| DLP for PHI | ✅ Built-in HIPAA template | ✅ Available; needs setup | ✅ Strong, granular |
| External sharing controls | Granular but defaults are permissive | Granular | Strongest of the three |
| Audit logging | ✅ Unified audit log | ✅ Admin audit log | ✅ Detailed audit + governance |
| EHR integration | Most EHRs integrate via Graph API | Limited | Strong (Box Health) |
| Retention / legal hold | ✅ Microsoft Purview | ✅ Vault | ✅ Native + Box Governance |
Microsoft SharePoint / OneDrive
Best for: Practices already on Microsoft 365 (most are). The deepest integration with Outlook, Teams, Office desktop, and most EHR systems.
Strengths
- The BAA covers SharePoint, OneDrive, Teams, and Exchange under one signed agreement
- DLP, sensitivity labels, and information protection are all in one Purview console
- Native PHI templates make initial DLP setup faster than competitors
- Tight integration with Defender, Intune, and Conditional Access
- Customer Lockbox in E5 prevents Microsoft engineers from accessing your data without your explicit approval
Watch-outs for HIPAA
- External sharing defaults to “anyone with the link.” Tenant-wide setting must be tightened to “Existing guests only” or “Only people in your organization” before PHI is uploaded
- Default sharing link expiration is forever — set to 30 days for any external sharing that does happen
- Anonymous links must be disabled at the tenant level
- SharePoint search returns content users have access to; over-shared sites become an instant audit finding
When SharePoint wins: If your practice runs Microsoft 365, runs Office desktop apps, and uses Teams for clinical communications, SharePoint is the right answer. The integration cost of going elsewhere outweighs the modest per-user storage advantages of competitors.
Google Drive (Google Workspace)
Best for: Practices already on Google Workspace, especially smaller practices with a younger tech-friendly staff.
Strengths
- Cleanest sharing UX — easier for staff to use correctly
- Strong native search across Drive, Gmail, Calendar
- Excellent collaboration on Docs, Sheets, Slides
- Vault provides defensible retention and legal hold
- Per-user storage is generous on higher tiers
Watch-outs for HIPAA
- The BAA covers Drive, Gmail, Calendar, Docs, Sheets, Slides, Meet, and Vault — but NOT Google Photos, Hangouts (legacy), or third-party Marketplace apps. Specifically lock down Marketplace add-ons before users install them.
- DLP setup is less guided than Microsoft Purview — expect a steeper config investment
- Less third-party EHR integration depth than SharePoint
- Drive’s “Allow people to find this file in search” setting must be off for any file containing PHI
- Shared Drives are easier than personal Drive sharing for HIPAA — move PHI off personal Drive into Shared Drives early
When Google Drive wins: Practices already running Google Workspace, no major dependency on Office desktop apps, and clinical staff comfortable with Docs/Sheets workflows.
Box
Best for: Practices that need granular external collaboration with referrers, labs, malpractice insurers, or other partners.
Strengths
- Most granular sharing and permissions of the three
- Box Health is a dedicated industry vertical with HITRUST CSF certification baked in
- Native integration with most EHR/EMR systems via partnerships
- Box KeySafe lets you bring your own AWS KMS keys for stricter encryption control
- Watermarking, view-only, and download-blocked permissions make external sharing safer
Watch-outs for HIPAA
- Often runs alongside M365 or Google Workspace rather than replacing them — that’s two clouds to govern instead of one
- Per-user pricing is comparable but storage tiers can add up faster
- Less native productivity tooling — Box Notes is fine but rarely a primary doc tool
- Migration from existing storage to Box has higher friction than SharePoint↔OneDrive moves
When Box wins: Practices with heavy external collaboration where the granular permissions are worth running alongside an existing productivity suite. Also a good answer for practices in regulated specialties where HITRUST certification is expected by partners.
What to configure on day one (any platform)
- ✅ Sign the BAA before any user uploads PHI
- ✅ Disable external anonymous sharing at the tenant / domain level
- ✅ Set a default link expiration of 30 days for any external sharing that does happen
- ✅ Enable MFA for every user account, no exceptions
- ✅ Configure DLP with a HIPAA template, run in test mode for 2 weeks, then enforce
- ✅ Set audit log retention to at least 1 year (10 years if practice is on a regulated track)
- ✅ Enable mobile management (Intune, Google MDM, or platform-native)
- ✅ Document data flows — who can access what, where it goes, who oversees the policy
Real-cost comparison for a 25-clinician practice
| Item | M365 Business Premium | Google Workspace Business Plus | Box Business |
|---|---|---|---|
| Per-user license | $22/mo | $18/mo | $20/mo |
| 25 users — annual | $6,600 | $5,400 | $6,000 |
| Add-ons typically required | Defender for Office P2 ($31/mo) | Vault add-on (typically $10/user) | KeySafe ($150/user/year) |
| Backup (third-party) | $100/mo | $100/mo | $100/mo |
| Annual all-in | ~$8,000 | ~$9,500 | ~$11,000 |
Decision framework
Already on Microsoft 365? → SharePoint/OneDrive. Don’t run two clouds unless you have a specific reason.
Already on Google Workspace? → Google Drive. Same rule.
Heavy external collaboration with referrers, labs, lawyers, or compliance auditors? → Box, alongside whichever productivity suite you run.
Starting from scratch (rare in 2026)? → SharePoint/OneDrive for most practices, due to EHR integration depth and the breadth of compliance tooling under one BAA.
The wrong answer is “all three at once with no governance.” We see practices with PHI sprawled across their M365 tenant, a personal Dropbox a former employee set up, and a Box account someone tried for a project — and no map of where any of it lives. Pick one primary, govern the second carefully, and forbid the third.
Where to start
If you’re not sure your current cloud storage is HIPAA-compliant, the quickest answer is a focused 60-minute review: BAA status, sharing controls, DLP coverage, audit logs, and one round of risk findings.
Schedule a free HIPAA cloud storage review →
Or call 1-650-300-7557.
Frequently asked questions
Can we use Dropbox for PHI?
Dropbox Business has a BAA available — but only on Advanced and higher tiers. Standard Dropbox does not.
What about iCloud, Personal Drive, Personal OneDrive?
None of these are HIPAA-compliant. If any staff are using personal cloud storage for work files, that’s an OCR finding waiting to happen.
Do we need to encrypt files before uploading?
No — all three platforms encrypt at rest server-side. Pre-encryption is a defense-in-depth practice but isn’t required for compliance.
How long do we have to retain PHI in cloud storage?
HIPAA defers to state retention laws and your own retention policy. Most practices retain medical records 6–10 years; longer for pediatric records.
