Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

HIPAA Compliant Cloud Backup Services – Which One Fits Your Needs?

HIPAA compliant cloud backup is a must for all businesses that store sensitive data, like PHI (Protected Health Information). It is a storage strategy that makes an identical copy of your information and transfers it via the Internet to an off-site server. Data can then be recovered from any location with an Internet connection.

In this post, we explain the importance of HIPAA compliant cloud backups and review five vendors who offer this service: ArcServe, Carbonite, IDrive, Microsoft Azure, and SpiderOak. Please note: companies are listed in alphabetical order, not ranked. We divide our reviews into three sections: security and features, installation and use, and cost.

What is HIPAA Compliant Cloud Backup?

Once you select a HIPAA compliant cloud backup vendor, they install their software package on your computer(s). You then select the files and folders you want to backup. Depending on how many files you’ve chosen, this first backup could take hours to complete. Once you have set up the software, it runs ‘behind the scenes’ continuously, saving and storing your updated data on a regular basis.

Encryption is an extremely important part of HIPAA compliant cloud backup. Files should be encrypted so that if the off-site server is hacked, you won’t lose the data. HIPAA compliant cloud backup vendors provide encryption as a standard feature.

Don’t confuse cloud storage with cloud backup; the differences are significant. While both services store your files at an offsite location, cloud backup is a software-based solution that automates the backup process for you. Your files are backed up to the cloud while the backup software lives on your computer, working silently in the background as it backs up files. Cloud backup plans have large data capacities and are built to most or all data on your computer. Cloud storage is designed for sharing files with others. Should you experience computer data loss, the only files that you can recover are the ones you stored in a cloud storage account. Anything local would be gone forever.

Your business may have a hybrid solution including internal servers and cloud storage with data automatically backed up to the cloud. The server gives you fast access to files locally. Backing up to the cloud gives you the confidence your data is available and accurate.

HIPAA Compliant Cloud Backup Vendors

Cloud backup is a convenient, reliable way to protect and recover your mission-critical data. The responsibility of keeping your data secure is too big and too risky for many small to medium-sized companies. Options like external hard drives or thumb drives are not considered a good solution because they require too much manual work. With cloud data backup, you can stay focused on your business goals, employees, and customers. 

Any organization that works with Protected Health Information (PHI) must ensure that they are HIPAA compliant and that their Business Associates are HIPAA compliant. If you’re working with PHI and use a cloud backup vendor, that company is your Business Associate and, by law, you must have a signed Business Associate Agreement with that company. While there are many cloud backup options, each of the following are willing to sign that HIPAA Business Associate Agreement.

ArcServe: The HIPAA Compliant Backup Solution That Lets You Pay for What You Use

Security and Features of ArcServe

ArcServe offers a variety of solutions for clients who need to comply with government regulations, like HIPAA, GDPR, SOX, etc. However, in our review, we are focusing on their ArcServe UDP solution because we believe it is the best solution for small and medium sized businesses. However, ArcServe is able to provide HIPAA compliant cloud backup services for organizations of all sizes.

ArcServe UDP offers a complete solution for all your data backup needs. UDP unifies data across all platforms and provides centralized data management through one global dashboard. “Backed by heterogeneous, image-based technology that protects to and from any target, it’s the first of its kind to combine enterprise-ready features without the complexity of traditional enterprise solutions.”

Security benefits include: file archiving, workstation protection, bare metal recovery, granular recovery (file and image recovery from a single backup), global deduplication (prevents redundancy in backups), and the capability to securely backup all company data from multiple devices, servers, and locations.

Installation and Use of ArcServe

ArcServe UDP promises a quick and easy setup that requires only “a few clicks.” Admins create data stores on the recovery point server, select the information they wish to protect, and choose a storage destination for the information. Destinations may include local folders, remote shared folders, or an RPS (Recovery Point Server). ArcServe UDP integrates with other services the company uses, like email, to securely store any type of data the company is required to archive.

This program is compatible with a variety of platforms, including: Windows, Linux, Amazon EC2, Microsoft Azure, Office 365 (Exchange Online, SharePoint Online and OneDrive for Business), Microsoft Exchange, MS SQL, file servers, Microsoft IIS, Microsoft Active Directory, Oracle Database, PostgreSQL, VMware vSphere (agentless), Microsoft Hyper-V (agentless) and Nutanix AHV.

Cost of ArcServe

ArcServe works with clients to create custom solutions for their business. You pay only for what you use. Additionally, they offer a free trial for all of their solutions. 

Atlantic.Net HIPAA-Compliant Cloud Backup

Every Atlantic.Net HIPAA-Compliant Server has access to the Atlantic.Net Cloud Platform backup service. The ACP Backup Platform includes intuitive backup and replication options, making the end-to-end process simple to use with rock-solid reliability. Atlantic.Net takes care of the service configurations, schedules, and validations on behalf of your team, so there is no need to worry if your backups are running.

Atlantic.Net administers all of the complexity ensuring your data is backed up, the backup service provides standard and customizable Onsite and Offsite Backup routines, and the Replication options are a game-changer for mission-critical applications. Atlantic.Net engineers keep the service running 24x7x365. It’s that simple!

Security and Features of Atlantic.Net

Audited and verified to HIPAA, HITECH, SOC 2, and SOC 3 standards means that our business processes are proven to be compliant to the highest of security standards. The Atlantic.Net Security Operations Center (SOC) is staffed around the clock to support the carefully controlled secure cloud platform.

The fully managed and compliant HIPAA security services bring focus to your core competencies. Security services include HIPAA Intrusion Prevention System, Anti-Malware Protection, Dedicated Firewalls, Encrypted VPN, Log Inspection, Security Integrity Monitoring, and Network Security.

Installation and Use of Atlantic.Net

Atlantic.Net’s HIPAA-compliant cloud platform is architected to the highest security standards, and the company handles all aspects of installation, deployment, security hardening, and quality control for the software-defined ACP Backup solution, with all safeguards exceeding HIPAA compliance requirements. The customer’s responsibility is to outline the resources and frequency required for systems to back up, and Atlantic.Net will handle the rest for a HIPAA Secure Cloud deployment, along with the required encryption at rest and encryption in transit for data in the different backup scenarios.

Cost of Atlantic.Net

The pricing is determined by onsite or offsite location, backup frequency, and retention points. ACP Onsite Daily Backups with 30 retention points is simply $0.10/GB with no possible overages. This way you and your team do not have to worry about surprise bills. Atlantic.Net also allows mix and matching of different backup services to ensure the backups match exactly what your disaster recovery plan calls for.

For more information, visit www.atlantic.net

Carbonite: Affordable HIPAA Compliant Cloud Backup for Small and Medium-Sized Businesses

Security and Features of Carbonite

Carbonite offers two HIPAA compliant cloud backup solutions: Carbonite Safe Backup Pro and Carbonite Safe Server Backup.

For users with up to 25 computers and one server, they recommend Carbonite Safe Backup Pro. This program includes 250 GB of storage for automatic HIPAA compliant cloud backup for computers, external storage devices, and NAS (Network Attached Storage) devices. This program protects files against deletion by human error, hardware failures, and ransomware. All data is encrypted at a 128-bit standard at rest, in storage, and in transit. NAS and EHD (external hard drive) backup are supported.

The Carbonite Safe Server Backup offers all the same benefits of Carbonite Safe Backup Pro with the added capability to perform bare-metal restore for physical and virtual servers. Additionally, this system supports an unlimited number of servers and offers 500GB of HIPAA compliant cloud backup storage. Data is backed up using 128-bit or 256-bit encryption.

Installation and Use of Carbonite

Both of Carbonite’s HIPAA compliant cloud backup services promise an easy installation with their Remote Deployment feature. All files can be accessed from anywhere through their web-based dashboard. Customer service representatives are available 7 days a week via phone call, chat, or email. 

Carbonite Safe Backup Pro works with Windows 7+ and OS X 10.7+ systems. Carbonite Safe Server Backup works with Windows 7+, OS X 10.7+, Windows Servers 2003+, System State (including Registry & Active Directory), SQL, Exchange, Exchange Online, SharePoint, Hyper-V, and MySQL. Image backup and bare-metal restore require 64-bit hardware.

Cost of Carbonite

Both of Carbonite’s HIPAA compliant cloud backup solutions require a one year commitment. Clients using Carbonite Safe Backup Pro will pay $24/month for a total of $287.99 annually. Carbonite Safe Server Backup offers two tiers for payment; the Power plan is for clients with one server. They pay $50/month for an annual total of $599.99. Companies with multiple servers are on the Ultimate plan, which costs $83.34/month. You may add additional storage to your plan at a rate of $99 per 100 GB/year.

If you sign up for a two-year subscription for either product, you will receive a 5% discount and for a three-year subscription, a 10% discount.

IDrive:  HIPAA Compliant Backup Solution With Options for Every Company’s Storage Needs

Security and Features of IDrive

IDrive has a HIPAA compliant cloud backup solution for just about everyone. One great feature of this program is that the benefits and features it offers are not tiered. All users with IDrive accounts access the services, regardless of how much they pay per month.

IDrive secures all data with 256-bit encryption. They allow multiple devices to be associated with a single account, so the program can easily be run from mobile devices as well as desktops. To protect against human error, IDrive offers a feature they call “true archiving.” No data is deleted from your IDrive account until you manually delete it or perform an “archive cleanup” to get rid of any account data no longer on your computer. Additionally, users can restore files from trash on the desktop application or browser within 30 days.

Installation and Use of IDrive

IDrive takes pride in offering an extremely efficient and easy to use product. They offer incremental backups, meaning that only the modified portion of the file re-uploads in order to save time. This prevents the backup from slowing the users device or network speed, so they can continue to work through backups. Snapshot gives users the ability to restore their data from a specific point; IDrive retains up to 30 previous versions of all files backed up to an account.

They offer a mobile account management option through the use of their app, which is available through the AppStore for iPhones and the Google Play store for Androids. The programs can be used on Windows or Mac systems, and for Linux/Unix servers. They offer their service to users of all operating systems, even those released before 2011. Visit this page to learn more or install IDrive on your device. 24/7 support is available via chat, email, and phone from 6:00 A.M. to 6:00 P.M. PST.

Cost of IDrive

The cost of IDrive’s HIPAA compliant cloud solution depends on the amount of storage users need. Their business solution, which we recommend for clients who need to comply with HIPAA, allows unlimited users and unlimited computers and servers. Data storage capabilities range from 250 GB ($76.42/year) to 12.5 TB ($2,249.62/year). Learn more about IDrive’s pricing tiers here. IDrive offers a free 30-day trial for their enterprise solution.

Microsoft Azure: A Great HIPAA Compliant Cloud Backup Option for Microsoft Users

Security and Features of Microsoft Azure

Microsoft Azure Backup is the Azure-based service you can use to protect and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.

Default 256-bit data encryption allows for secure transmission and storage of your data in the public cloud. Azure’s backup and storage services encrypt data at rest and in motion. It’s also compressed to reduce network bandwidth usage and storage space. You store the encryption passphrase locally, and it is never transmitted or stored in Azure. This capability keeps data backup wait times low. They offer the ability to backup Azure virtual machines SQL workloads, and on-premise devices without additional infrastructure.

Admins can turn on multi-factor authentication through the Azure portal. Unauthorized deleted backups are retained for two weeks, to prevent clients from accidentally losing critical data. Azure is equipped to handle HIPAA compliant clients, as they work with many large healthcare clients currently.

Installation and Use of Microsoft Azure

To start using Azure Backup, you must have an Azure subscription. The easiest way to start using Azure Backup is to set up a subscription with a free trial that Microsoft offers on any Azure product for 30 days and includes a $200 free credit. Once you have a subscription, you log in to Azure and navigate to the Azure Management Portal.

From the Portal, Azure Backup is available through the Recovery Services selection. From there, you create a backup vault and navigate to that vault, where you download files that connect your PCs or servers to the vault. Microsoft offers significant training on installation and use.

Azure uses VSS snapshot (for Windows) and fsfreeze (for Linux) so users may restore their data from a specific point in time, in case it is ever lost. Activate these features from Azure’s centralized management portal.

Azure’s HIPAA compliant backup service integrates with a number of programs, including Microsoft SharePoint, Microsoft Exchange, Windows Server, Linux, Microsoft SQL Server, and more. Azure lets you choose what data center you want to store your data in, and there are 34 regions around the world. You can pick one location known as locally redundant storage (LRS) nearest you to optimize data transfer speeds. Another storage option known as geo-redundant storage (GRS) includes storage at two geographically different locations and is typically meant for businesses with a global user base.

Cost of Microsoft Azure

In order to use Azure’s HIPAA compliant cloud backup services, you must already have a Microsoft Azure subscription. This includes access to subscription management support (e.g. billing, quota adjustment, account transfer) at no additional cost. In addition, Microsoft Azure subscriptions include access to the Azure Status Dashboard and the Azure Forums to help you troubleshoot issues. Beyond these free support options, additional support plans are offered at different cost tiers, as well.

As mentioned previously, Azure offers a free 30-day trial of their subscription which includes  a $200 credit that may be applied to future purchases, if customers decide to commit to this system. Once you purchase an Azure subscription, you are charged on a pay-per-use model. Users pay only for the services they need, based on the number of devices, servers, locations, etc. You can calculate the cost here.

SpiderOak: The HIPAA Compliant Cloud Backup Services Trusted by Government Administrations

Security and Features of SpiderOak

SpiderOak offers a HIPAA compliant cloud backup service called One Backup. Their system encrypts data at rest, in storage, and in transit, as HIPAA requires. SpiderOak takes pride in their No Knowledge Policy: they have no knowledge or record of users’ passwords, any data stored on their servers, or metadata associated with customer files.

One Backup offers a secure file sharing feature which grants users the ability to create temporary self-destructing files in the system. Other features include their point in time recovery. Users may access historical versions of their data and deleted files with no time limit or restrictions. Lastly, SpiderOak boasts its professional relationship with military and governmental entities. Their program keeps the most confidential data in the world secure, and they are confident their service can adequately protect your business.

Installation and Use of SpiderOak

SpiderOak’s One Backup operates on many systems, including Linux, Mac, and Windows. Their mobile app, which is available for both iPhones and Androids, syncs with the desktop platform so data is consistent across devices. Easily install the program by visiting this page on their website or download the app from the Google Play store or the App Store.

Cost of SpiderOak

The cost of your SpiderOak plan depends on the amount of storage needed. Prices are as follows: $6/month ($69 annually) for a 150 GB plan, $11/month ($115 annually) for a 400 GB plan, $14/month ($149 annually) for a 2 TB plan, and $29/month ($320 annually) for a 5 TB plan. All plans work on an unlimited number of devices. SpiderOak also offers a 21 day free trial to new customers.


In conclusion, each of these vendors offer a secure HIPAA compliant cloud backup service. You cannot go wrong choosing ArcServe, Carbonite, IDrive, Microsoft Azure, or SpiderOak. Read through each description, and select the service that best fits your needs. Remember, HIPAA compliant cloud backup is only one piece of the compliance puzzle. Make sure you’ve conducted a Risk Assessment, created Privacy and Security Policies and Procedure, Business Associate Agreements, and all the other necessary documents. You must retain documents for at least six years, unless your state’s requirement is more stringent. Lastly, ensure the protection of data at rest, in storage, and in transit. If you have any questions about HIPAA compliance or HIPAA compliant cloud backup services, please reach out to us!

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2022

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

Microsoft End of Support for 2023

Microsoft End of Support for 2023

Each year, we publish Microsoft’s End of Support list because using up-to-date software is essential for HIPAA compliance. Microsoft will terminate support for earlier versions of a long list of its...

Top 10 Total HIPAA Blog Posts of 2022

Top 10 Total HIPAA Blog Posts of 2022

Throughout 2022, Total HIPAA has focused on providing information that will keep your organization HIPAA compliant and secure by blogging on relevant topics that matter. This is our last blog of...

Why Insurance Agents Need to Be HIPAA Compliant

Why Insurance Agents Need to Be HIPAA Compliant

The world of HIPAA compliance is often confusing and complex. It can be hard to tell what exactly the standards and requirements are and to whom they apply. Whether you’re an insurance agent or do...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)