Baseline Overview
The HIPAA Security Rule requires covered entities to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI. The following settings represent the minimum configuration required to use AXIS CloudSync in a HIPAA-compliant manner.
Important
Failure to configure these settings before storing or transmitting ePHI through AXIS CloudSync may constitute a HIPAA violation. Review each section carefully and document your configuration in your organization's Risk Analysis.
Authentication Requirements
| Setting | Required Value | Where to Configure |
|---|---|---|
| Two-Step Authentication | Required for all users | Admin β Settings β Policies |
| Minimum Password Length | 8 characters minimum (12+ recommended) | Admin β Settings β Policies |
| Password Complexity | Uppercase, lowercase, number, special character | Admin β Settings β Policies |
| Session Timeout | 15β30 minutes of inactivity | Admin β Settings β Policies |
| Failed Login Lockout | Lock after 5β10 failed attempts | Admin β Settings β Policies |
Important
The 2026 HIPAA Security Rule updates make multi-factor authentication a required implementation specification (no longer addressable). All users must have 2FA enabled before accessing any ePHI.
Access Control
- Principle of Least Privilege: Grant users only the minimum access they need to perform their job. Use Read Only permissions where write access is not required.
- Role-Based Access: Use Team Shares with specific permission levels rather than giving all users access to all files.
- Regular Access Reviews: Review user permissions quarterly. Remove access for users who no longer need it.
- Prompt Deprovisioning: Suspend or delete accounts immediately when an employee leaves or changes roles.
- Guest Access Controls: Require administrator approval for all guest account creation.
Audit & Monitoring
- Enable audit logging for all user and admin actions (enabled by default β verify it is not disabled).
- Configure log retention for a minimum of 6 years to meet HIPAA documentation requirements.
- Set up automated compliance reports to be delivered to your compliance officer monthly.
- Review failed login reports weekly to detect unauthorized access attempts.
- Investigate any anomalous access patterns: after-hours access, bulk downloads, access from unusual IP addresses.
Encryption
AXIS CloudSync provides the following encryption protections automatically β verify these are active for your account:
- In Transit: All data is encrypted using TLS 1.2 or higher during transmission.
- At Rest: All data is encrypted using AES-256 encryption on AXIS CloudSync servers.
- End-to-End: Files are encrypted before leaving your device and decrypted only by authorized users.
- Key Management: AXIS CloudSync manages encryption keys. For organizations requiring customer-managed keys (CMK), contact your account manager.
Compliance Checklist
- β Two-Step Authentication enforced for all users
- β Password policy configured (minimum length, complexity, expiration)
- β Session timeout set to 15β30 minutes
- β Failed login lockout enabled
- β Sharing restricted to Secure Shares only
- β Maximum share expiration configured
- β Audit logging verified as active
- β Log retention set to 6+ years
- β Automated compliance reports scheduled
- β User access reviewed and least-privilege applied
- β Guest access policy configured
- β Employee offboarding procedure documented
- β BAA requested and executed with AXIS CloudSync (available upon request)
- β Security baseline documented in Risk Analysis
Tip
Download the 2026 HIPAA Compliance Checklist from the AXIS CloudSync resource center for a comprehensive audit-ready checklist that covers all HIPAA Security Rule requirements, not just AXIS CloudSync configuration.