📋 Free Download: 2026 HIPAA Compliance Checklist — updated for the latest OCR enforcement priorities. Get it free →

HIPAA Compliance 8 min read

Minimum Security Baseline Guidelines

These are the required security settings for all HIPAA-covered entities and business associates using AXIS CloudSync. Configure these settings before going live with any ePHI to ensure your environment meets OCR standards.

Baseline Overview

The HIPAA Security Rule requires covered entities to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI. The following settings represent the minimum configuration required to use AXIS CloudSync in a HIPAA-compliant manner.

Important

Failure to configure these settings before storing or transmitting ePHI through AXIS CloudSync may constitute a HIPAA violation. Review each section carefully and document your configuration in your organization's Risk Analysis.

Authentication Requirements

SettingRecommended ValueWhere to Configure
Two-Step AuthenticationRequired for all usersAdmin → Settings → Policies (Require Two-Step Authentication checkbox)
Password ExpirationForce change every 90 days or fewerAdmin → Settings → Policies (Force Password Change After)
Session Timeout15–30 minutes of inactivityEnforced by your identity provider or SSO solution; not a configurable setting in AXIS CloudSync
Failed Login LockoutLock after 5–10 failed attemptsHandled automatically by the AXIS CloudSync platform; not a configurable admin setting
API Token Expiration30 days or fewerAdmin → Settings → Policies (Deactivate API Tokens After)

Important

The 2026 HIPAA Security Rule updates make multi-factor authentication a required implementation specification (no longer addressable). All users must have 2FA enabled before accessing any ePHI.

Access Control

  • Principle of Least Privilege: Grant users only the minimum access they need to perform their job. Use Read Only permissions where write access is not required.
  • Role-Based Access: Use Team Shares with specific permission levels rather than giving all users access to all files.
  • Regular Access Reviews: Review user permissions quarterly. Remove access for users who no longer need it.
  • Prompt Deprovisioning: Suspend or delete accounts immediately when an employee leaves or changes roles.
  • Guest Access Controls: Require administrator approval for all guest account creation.

Sharing Restrictions

AXIS CloudSync does not have a single toggle to restrict all sharing — sharing controls are managed through a combination of user permissions, Team Share settings, and administrator oversight. Apply the following practices to reduce the risk of unauthorized ePHI disclosure:

  • Use Team Shares with explicit permissions: Grant users access only to the specific Team Shares they need. Avoid giving all users access to all folders.
  • Set share expiration dates: When creating secure share links, always set an expiration date. For ePHI, limit share links to 7 days or fewer.
  • Use password-protected shares: Enable password protection on any share link that may contain ePHI before sending it externally.
  • Review active shares regularly: Audit open share links in the Admin Console under Shares. Revoke any shares that are no longer needed.
  • Limit guest account creation: Require administrator approval before any guest accounts are created. Guest accounts should have the minimum access necessary.
  • Train users on sharing policies: Users should understand that share links for ePHI must always include expiration and password protection. Document this in your organization's HIPAA policies.

Important

There is no single policy toggle to block all unprotected shares. Sharing controls must be enforced through user training, periodic audits of active shares, and administrator oversight of guest accounts.

Audit & Monitoring

  • Enable audit logging for all user and admin actions (enabled by default — verify it is not disabled).
  • Configure log retention for a minimum of 6 years to meet HIPAA documentation requirements.
  • Set up automated compliance reports to be delivered to your compliance officer monthly.
  • Review failed login reports weekly to detect unauthorized access attempts.
  • Investigate any anomalous access patterns: after-hours access, bulk downloads, access from unusual IP addresses.

Encryption

AXIS CloudSync provides the following encryption protections automatically — verify these are active for your account:

  • In Transit: All data is encrypted using TLS 1.2 or higher during transmission.
  • At Rest: All data is encrypted using AES-256 encryption on AXIS CloudSync servers.
  • End-to-End: Files are encrypted before leaving your device and decrypted only by authorized users.
  • Key Management: AXIS CloudSync manages encryption keys. For organizations requiring customer-managed keys (CMK), contact your account manager.

Compliance Checklist

  • ☐ Two-Step Authentication enforced for all users
  • ☐ Password policy configured (minimum length, complexity, expiration)
  • ☐ Session timeout set to 15–30 minutes
  • ☐ Failed login lockout enabled
  • ☐ Share expiration policy communicated to all users (7 days or fewer for ePHI)
  • ☐ Password protection required on all external share links containing ePHI
  • ☐ Active shares audited and unnecessary shares revoked
  • ☐ Audit logging verified as active
  • ☐ Log retention set to 6+ years
  • ☐ Automated compliance reports scheduled
  • ☐ User access reviewed and least-privilege applied
  • ☐ Guest access policy configured
  • ☐ Employee offboarding procedure documented
  • ☐ BAA requested and executed with AXIS CloudSync (available upon request)
  • ☐ Security baseline documented in Risk Analysis

Tip

Download the 2026 HIPAA Compliance Checklist from the AXIS CloudSync resource center for a comprehensive audit-ready checklist that covers all HIPAA Security Rule requirements, not just AXIS CloudSync configuration.
Back to All Tutorials
Schedule a Demo