๐ New 2026 HIPAA Security Rule changes are here. Download the Free 2026 HIPAA Compliance Checklist โ
A HIPAA Business Associate Agreement is required before storing Protected Health Information in any cloud service. AXIS CloudSync provides a BAA on the Franchise plan and above โ at no additional cost, and at $18/user/mo, the lowest BAA-eligible price in the market.
Included on Franchise Plan & Above
No additional cost
1 Business Day
Average BAA turnaround
Covered & Business Associates
Both entity types supported
BAA Contents
Our standard BAA is drafted to meet all HIPAA requirements for Business Associate Agreements under 45 CFR ยง 164.504(e).
Defines the specific ways AXIS CloudSync may use or disclose PHI on your behalf โ limited to providing and supporting the service.
Documents the administrative, physical, and technical safeguards AXIS CloudSync implements to protect PHI, including AES-256 encryption and access controls.
Establishes that Axcient (our infrastructure provider) is bound by equivalent BAA obligations as a sub-processor of PHI.
Specifies our obligation to notify you of any security incident or breach involving PHI within the timeframes required by the HIPAA Breach Notification Rule.
Describes how we support your obligations to provide individuals with access to, amendments to, and an accounting of disclosures of their PHI.
Covers what happens to PHI upon termination of the service agreement, including our obligation to return or destroy PHI.
Process
Email [email protected] with subject line 'BAA Request' or use the Contact form below. Include your organization name and the email address associated with your AXIS CloudSync account.
We will send you our standard BAA via DocuSign within 1 business day. The BAA is a standard HIPAA-compliant agreement. You may request modifications for enterprise accounts.
Once the BAA is countersigned, you are authorized to store PHI in AXIS CloudSync. We recommend completing the HIPAA setup checklist in our tutorials before uploading any PHI.
Storing Protected Health Information in a cloud service without a signed BAA is a HIPAA violation that can result in civil monetary penalties ranging from $100 to $50,000 per violation. Ensure your BAA is signed before uploading any patient data.
Yes. Under HIPAA, a Business Associate Agreement must be executed before any Protected Health Information is stored in a cloud service. Using AXIS CloudSync for PHI without a BAA in place puts your organization at risk of HIPAA violations.
We aim to send the BAA within 1 business day of your request. The signing process via DocuSign typically takes less than 10 minutes. You can begin storing PHI as soon as both parties have signed.
No. A BAA is available at no additional cost on all paid AXIS CloudSync plans.
Enterprise accounts may request modifications to the standard BAA. Please contact us to discuss your requirements. Standard modifications for common enterprise needs (e.g., specific subcontractor lists, custom breach notification timelines) can typically be accommodated.
The BAA covers PHI stored in your AXIS CloudSync account. It does not change the nature of non-PHI data, which is governed by our standard Terms and Conditions and Privacy Policy.
Business Associates who use AXIS CloudSync to process PHI on behalf of a Covered Entity also need a BAA with us. In this case, AXIS CloudSync acts as a sub-Business Associate. The BAA process is the same.
For more on HIPAA compliance with AXIS CloudSync:
View Full HIPAA Compliance Overview