HIPAA-Compliant Data Storage Practices for SMBs

Explore HIPAA-compliant data storage practices and practical strategies for SMBs to overcome the implementation challenges

The digital transformation of healthcare has simplified business operations, with appointment info, health records, and essential documents now stored electronically. As a result, the industry’s reliance on big data has surged. According to Fortune Business Insights, the global big data analytics market (with healthcare in the top three industries) was valued at $348 billion in 2024 and is projected to triple by 2032. Technologies like artificial intelligence continue to drive demand for big data, presenting both opportunities and challenges—especially when it comes to highly regulated electronic Protected Health Information (ePHI).  

Data storage in healthcare is regulated by HIPAA - Healthcare Portability and Accountability Act of 1996. To ensure compliance with HIPAA’s data storage requirements and protect ePHI from unauthorized access or loss, all HIPAA-regulated entities must implement strict security controls, including encryption, access controls, audit logs, and backup solutions.  

Small and medium-sized healthcare businesses (SMBs) handle large volumes of ePHI, which is often disproportionate to their expertise and financial capacity to handle those data securely. This makes them particularly vulnerable to accidental data loss, breaches, and HIPAA non-compliance.  

Let's explore HIPAA-compliant data storage practices and how SMBs can overcome the challenges of implementing them effectively.

HIPAA Requirements to Secure and Compliant ePHI Storage

Like most covered entities and business associates, healthcare SMBs commonly store data using the following solutions, each with distinct advantages and challenges:  

‍On-premises storage where ePHI is stored on physical servers or data centers within the organization’s premises. This model provides full control over data but requires significant expertise, resources, and maintenance. On-prem storage also lacks scalability and is highly vulnerable to physical disasters

Cloud storage uses remote servers to store and manage data. The data is stored on servers maintained by a cloud storage provider and accessed over the internet. With cloud storage, businesses gain scalability, efficiency, and automation, but they also face limitations in direct data oversight.  

Healthcare SMBs may also store data in hybrid environments ​​where features of on-premises and cloud storage are combined, allowing them to retain sensitive data in-house while leveraging the cloud for flexibility and scalability. Electronic Health Records (EHR) systems, SaaS solutions, and managed backup providers also belong to third-party data storage providers that SMBs often use to store ePHI.  

No matter where ePHI is stored - HIPAA sets strict requirements to ensure its confidentiality, integrity, and availability. Covered entities and business associates must implement physical, administrative, and technical safeguards to protect data from breaches, unauthorized access, and loss. Below is a set of HIPAA requirements for HIPAA-compliant data storage.  

1. Sign a HIPAA BAA with third-party data storage providers

If you use a third-party cloud storage provider, enter into a Business Associate Agreement (BAA with them. The BAA defines the responsibilities and obligations for protecting ePHI. By signing it, subcontractors agree to secure patient data and comply with HIPAA regulations.  

It is necessary to remember that cloud service providers follow a shared responsibility model. Under this model, a data storage provider is responsible for the security of the cloud storage service, which includes protecting the infrastructure, such as hardware, software, networking, and facilities. Customers are responsible for data storage security. In terms of HIPAA, data storage providers assume the majority of responsibilities for physical safeguards such as physical server security, employee access to systems, and data center access. On the other hand, cloud customers are responsible for the majority of HIPAA administrative safeguards and technical safeguards.  

2. Ensure robust data encryption in transit and at rest

HIPAA requires the implementation of strong data encryption mechanisms to encrypt all ePHI stored or transmitted across the data storage environment. HIPAA-covered SMBs are free to decide how they meet encryption requirements for PHI. They may use third-party data encryption solutions and tools when storing ePHI on-prem or use built-in encryption features if using cloud storage. We recommend using the AES-256 encryption algorithm for data at rest and TLS 1.2 or higher for data in transit. No matter what encryption tools they select, covered entities and business associates must ensure all their PHI is encrypted both in transit and at rest and procedures for managing encryption keys are established.

3. Ensure proper access controls are in place

Healthcare SMBs must carefully regulate access to ePHI to ensure that every action users take on systems, from logging in to accessing files, can be traced back to their identity. It is recommended that identity and access management (IAM) and role-based access (RBAC) be implemented to help keep track of access controls and identity management. IAM helps specify who or what can access services and resources in data storage and centrally manage fine-grained permissions. Assigning unique usernames for each workforce member to access the ePHI data storage is also necessary.

4. Implement data backup and retention

HIPAA-compliant data storage must also meet multiple HIPAA backup requirements When doing data backups, technical experts recommend following the 3-2-1 rule. In HIPAA-related context, the rule looks like the following:

• 3 copies of ePHI
• 2 different storage media
• 1 off-site copy in a secure location

Storing backups on at least two different media types ensures greater reliability, as one medium can compensate for the failure of another. Meanwhile, keeping one backup copy offsite protects against localized disasters like floods, fires, or theft, ensuring data recovery is possible even in extreme scenarios.  

5. Ensure security audit logs are collected and activities monitored

Audit logs should capture who accessed ePHI, what actions they performed (e.g., view, modify, delete), and when these activities occurred. In addition to user actions, logs should record system events such as login attempts (both successful and unsuccessful), configuration changes, and other relevant operational activities. Audit logs play a vital role in incident investigations and must be readily available to support the organization’s response to any security incidents. Businesses are free to decide how the audit logs are implemented, yet the built-in audit logs capabilities that most modern third-party data storage providers have are the optimal choice for SMBs.  

Read how audit logs are implemented in Goggle Workspace.  

6. Ensuring physical safeguards for all devices where ePHI is stored

While ePHI is stored digitally, physical safeguards still apply. For on-prem data storage, ensure all your hard drives, computers, and portable devices are physically secured from breach and data loss due to device loss, theft, natural disaster, and negligence.  

Third-party cloud storage providers take this share of responsibility on their own shoulders, ensuring they provide the appropriate physical safeguards at their data centers. These include biometric fingerprint scanners, armed security guards, locked server cabinets, and more.

Common HIPAA-Compliant Storage Challenges for SMBs

Although the HIPAA requirements are more or less clear, SMBs still face many challenges on the way to HIPAA-compliant data storage. Here are some of the most common ones:

Exponential growth of healthcare data

Research indicates that the healthcare sector is responsible for generating nearly 30% of the world's data. By 2025, healthcare data is projected to grow at a compound annual growth rate of 36%, surpassing industries like manufacturing, finance, and media. This surge in data volume presents significant challenges for SMBs making it increasingly difficult to implement the physical, administrative, and technical safeguards required to protect sensitive health information.

High costs of secure storage solutions

Implementing HIPAA-compliant storage, whether on-premises or in the cloud, requires investment in security controls, backup solutions, and encrypted storage. For SMBs with limited budgets, these costs can become a major barrier to compliance. Unlike large healthcare giants with networks of physical locations and IT security staff that often opt for on-prem data storage solutions and full control over their data, SMBs are more likely to rely on cloud storage is generally more cost-effective due to lower upfront costs, reduced IT maintenance, built-in security, and scalable pricing.  

See other ways SMBs can reduce cybersecurity costs.  

Lack of in-house IT & compliance expertise

Many SMBs are struggling to address a cybersecurity skills gap to configure and monitor secure data storage, leading to potential gaps in security. Many businesses don’t have dedicated IT or compliance teams, making it difficult to properly configure and manage secure data storage. Misconfigurations, poor access controls, and lack of monitoring can lead to data breaches and HIPAA violations.

Vendor compliance risks

SMBs often use third-party storage providers, but not all vendors meet HIPAA security requirements. Without a BAA and proper vetting, businesses risk non-compliance and potential breaches. Furthermore, vendors who don’t implement necessary security protocols or fail to regularly update their systems may increase the risk of data breaches. Therefore, SMBs must thoroughly vet vendors to ensure they comply with HIPAA standards and protect sensitive healthcare data.

Managing data across multiple data storage solutions

In today’s healthcare landscape, data is rarely stored in just one place. Electronic Protected Health Information (ePHI) is often spread across on-premises servers, cloud platforms, third-party applications, and even employee devices, making compliance enforcement a complex and ongoing challenge.  

Without the necessary resources to implement HIPAA security requirements, SMBs may be at risk of losing critical data and damaging their reputation. SMBs can minimize these challenges by doing the following:

• know your data: classify & monitor PHI;
• conduct regular risk assessments & security audits;
• implement strong data retention & disposal policies;
• consider migrating to a HIPAA-compliant cloud
• partner with HIPAA compliance experts.

7 Cloud Data Storage Providers for HIPAA-Covered SMBs

The power of cloud storage for SMBs is that it offers a cost-effective and scalable solution for storing data because you pay as you go. It eliminates the need for expensive infrastructure, maintenance, dedicated staffing, and capacity planning. Let’s see the top cloud providers offering secure and compliant data storage.  

1. AWS

Amazon Web Services (AWS) is among the most popular cloud storage providers. It signs BAA allowing you to process, store, and transmit PHI securely. Pay attention to AWS HIPAA-eligible services when using AWS for e-PHI storage. AWS offers more than a hundred HIPAA-eligible services with features that help organizations implement the necessary HIPAA safeguards and controls. However, the responsibility for configuring these services in a compliant manner always lies on the customer.  

Read more on HIPAA compliance in the AWS cloud.  

2. Google Cloud (GCP)

While it may not be common knowledge, Google Cloud is HIPAA-compliant. Google Cloud emphasizes that HIPAA compliance is a shared responsibility but agrees to sign a BAA. However, it recommends customers limit the use of PHI in any context not covered by the BAA.  

3. Microsoft Azure

Microsoft Azure offers HIPAA-compliant data storage solutions for healthcare organizations. By signing BAA with their clients, Azure ensures that sensitive patient information is protected in accordance with HIPAA requirements. Azure also provides tools for managing compliance, such as auditing and monitoring capabilities, making it easier for businesses to maintain regulatory standards.  

‍AWS, Google Cloud, and Azure provide data storage, infrastructure, and development tools that SMBs may use compliantly. However, when it comes to sharing data among individuals, SMBs are recommended to use the following services:

4. Google Workspace

Google Workspace is a HIPAA-compliant communication and collaboration solution that has data storage functions. To use Google Cloud compliantly, customers must:

• use a paid Google Workspace subscription
• use only HIPAA-compliant Workspace offerings;
• configure Google Workspace correctly to support HIPAA compliance.

One of the best examples is Google’s HIPAA Implementation Guide, which provides a step-by-step guide to configuring all the “core services” covered by its Business Associate Addendum to the Service Agreement.

5. Microsoft 365

Microsoft 365 offers HIPAA-compliant data storage solutions through its suite of cloud-based applications, including OneDrive, SharePoint, and Teams. These services feature built-in security measures like data encryption, access controls, and advanced threat protection to ensure that Protected Health Information (PHI) is stored securely and in compliance with HIPAA regulations. Microsoft 365 also provides tools for tracking and managing compliance, including audit logs, secure email, and eDiscovery capabilities.  

6. Dropbox

Dropbox is a well-known file-sharing platform that signs BAA with HIPAA-covered entities. Its framework includes protections like permissions, 2FA, SSO, and business associate agreements. Dropbox also offers a free 30-day trial to see if the platform is the right fit for your practice.

7. Box

Like other data storage solutions, Box offers businesses sensitive data storage that, if properly configured, may be HIPAA compliant. Box signs BAAs with all clients that store PHI in the Box cloud. In addition, this platform features end-to-end encryption, physical controls, audit trails, employee security training, and secure data center facilities.  

Ensure HIPAA-Compliant Data Storage with Planet 9

While most data storage and collaboration solutions offer technical tools that help meet HIPAA compliance, human oversight is still necessary. Ensuring compliance with HIPAA involves a comprehensive approach that extends beyond a reliable storage solution. All these solutions require proper configurations, regular risk assessments, and thorough policies and procedures to manage and respond to security incidents effectively. Unfortunately, SMBs often are unable to cover all these areas. This is why partnering with HIPAA compliance experts is the right choice.  

‍Planet 9 HIPAA-compliance services offer a comprehensive approach to ensuring and maintaining HIPAA compliance and include:

• Conducting a discovery to understand the client’s organization, business processes, and technologies
• Performing a HIPAA evaluation to identify safeguards in place and compliance gaps.
• Performing a risk assessment to identify risks to PHI.
• Developing a roadmap for addressing the identified compliance gaps and risks
• Assisting the client in executing the roadmap.
 

You can also utilize the Planet 9 HIPAA Vitals application to assess your HIPAA compliance. The HIPAA Vitals assessment is based on several reputable sources, including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals.  

Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!