🔒 New 2026 HIPAA Security Rule changes are here. Download the Free 2026 HIPAA Compliance Checklist →
AXIS CloudSync is designed to support HIPAA compliance for healthcare organizations, business associates, and any organization handling Protected Health Information (PHI). This page documents how our platform maps to the HIPAA Security Rule's required and addressable safeguards.
256-bit AES
Encryption at rest & in transit
Immutable Audit Logs
Every file event captured
BAA from $18/user
Franchise plan & above
SOC 2 Certified
Independently audited
Security Rule Mapping
The HIPAA Security Rule requires three categories of safeguards. Here is how AXIS CloudSync addresses each one.
Security Management Process
Audit logs capture all file access, sharing, and admin events. Exportable for risk analysis.
Workforce Training Support
Role-based access controls limit what each user can see and do. Permissions are enforced at the folder level.
Access Management
Administrators can provision, modify, and revoke user access instantly from the admin console.
Contingency Planning
Point-in-time Snapshot restore and ransomware rollback provide data recovery capabilities.
Facility Access Controls
Axcient data centers use biometric access, 24/7 security personnel, and CCTV monitoring.
Workstation Security
Remote wipe capability allows administrators to erase data from lost or stolen devices.
Device Controls
Administrators can restrict sync to approved devices and revoke device access remotely.
Access Control
Unique user IDs, role-based permissions, and automatic session timeouts.
Audit Controls
Immutable audit logs record every file access, modification, share, and download with user, timestamp, and IP.
Integrity Controls
File checksums verify data integrity. Version history detects unauthorized modifications.
Transmission Security
All data transmitted using TLS 1.2 or higher. 256-bit AES encryption at rest.
Two-Factor Authentication
Enforced 2FA for all users accessing ePHI. Configurable at the organization level.
Under HIPAA, a Business Associate Agreement must be in place before any Protected Health Information is stored in a cloud service. Contact us to request your BAA — included on the Franchise plan ($18/user/mo) and above.
Yes. A BAA is available upon request for all paid AXIS CloudSync plans. The BAA establishes our obligations as a Business Associate under HIPAA and covers the handling of Protected Health Information (PHI). Contact us at [email protected] to request a BAA.
AXIS CloudSync provides the technical infrastructure and controls required to support HIPAA compliance, including AES-256 encryption, audit logs, access controls, two-factor authentication, and BAA availability. However, HIPAA compliance is a shared responsibility — your organization must also implement appropriate administrative and physical safeguards.
All PHI stored in AXIS CloudSync is encrypted at rest using 256-bit AES encryption. All data transmitted between your devices and our servers is encrypted in transit using TLS 1.2 or higher. Encryption keys are managed using industry-standard key management practices.
Access to your data is restricted to authorized personnel who need it to operate and support the service. We apply the HIPAA minimum necessary standard. All access to PHI is logged and auditable through the AXIS CloudSync audit log system.
AXIS CloudSync maintains immutable audit logs that record every file access, modification, share, and download, along with the user identity, timestamp, and IP address. These logs can be exported in formats suitable for OCR audits and internal compliance reviews.
In the event of a breach affecting PHI, we will notify you as required by the HIPAA Breach Notification Rule, including within 60 days of discovery for breaches affecting 500 or more individuals. We maintain an incident response plan and conduct regular security reviews.
Need more detail? Read our comprehensive guide:
HIPAA-Compliant Cloud Storage: Complete 2025 Guide