Choosing a HIPAA Compliant File Sharing Platform

Most organizations who use PHI need file-sharing services like Google Drive, Dropbox, or Slack.

In this post, we will review what to keep in mind when selecting a cloud platform to best fit your organization’s needs.

Will the File Sharing Platform Vendor Sign a BAA?

First make sure the vendor will sign a Business Associate Agreement with you. If you cannot establish a BAA, then move on to the next option. For details on determining whether a vendor will sign a BAA agreement, check out our blog post on Choosing HIPAA Compliant Software.

Skip the Basic Plans

Prepare to let go of any hope that HIPAA compliance can be achieved with the basic or free plans offered by file sharing platforms. Select an appropriate professional plan to gain access to critical features for HIPAA compliance, like role-based permissions, user activity monitoring, encryption key management, and integrity controls.

How Well Do You Understand the Security Settings?

We recommend performing a thorough review of the HIPAA security settings available for the file sharing platform your team is using. Each platform should provide documentation about the security controls available for their services. For example, users of Microsoft Azure Files can reference the Azure HIPAA/HITECH Act Implementation Guidance. If you are not able to find adequate documentation and lack the resources in-house to properly configure your software, the HIPAA compliance team at Gazelle Consulting can help, schedule a free initial consultation today.

Have You Documented Security Configuration Settings?

Taking advantage of all the available security settings that support HIPAA compliant file-sharing is only the beginning. The National Institute of Standards and Technology has released a Guide for Security-Focused Configuration Management of Information Systems that suggests, “Configuration management is an important process for establishing and maintaining secure information system configurations, and provides important support for managing security risks in information systems.“ This guidance from NIST confirms that documenting required settings can help you meet HIPAA administrative safeguard requirements for the security management process and risk management.  Documentation of security configurations should be used to periodically review current settings and make sure no unauthorized changes have occurred. Security configuration documentation can also be referenced from disaster recovery plans in order to quickly get critical systems set up again after a disaster.


There is a lot to consider when choosing software for your business or organization. When choosing a HIPAA-compliant file sharing platform, be sure to keep in mind the following:

  • Ensure that the platform will sign a Business Associate Agreement (BAA)
  • Skip basic or free plans
  • Confirm security settings by looking over the platform’s security documentation
  • Regular review platform documentation and security configuration settings

Do you need assistance in choosing a HIPAA-compliant file sharing platform? Gazelle Consulting is here to help!

Call us at 1-503-389-5666 or email us at We make compliance feel like a grassy savanna!

Nav close