MicrosoftYes, however many HIPAA organizations AS I POINTED OUT BEFORE choose NOT to allow HIPAA information to be stored in the cloud for a VARIETY of reasons and YES you would still need a BAA to store it in the cloud and be compliant. By default cloud storage allows all kinds of internal sharing and external sharing which is much harder to control, monitor and audit than an internal file server. I DO THIS FOR A LIVING. I also do collaboration coaching for large organizations on Office365. I fully understand both the regulatory requirements and the regulatory pitfalls of most of these environments. There are LOTS of good reasons not to put things in Office365 and LOTS of good reasons not to use cloud storage.
Let's take an example from today. Through BGP Spoofing people lost their credentials to their MEW Etherium wallets and millions of dollars were funneled out of them. If I don't have data stored in the cloud - EVEN IF SOMEONE GOT MY CLOUD CREDENTIALS they couldn't access it. And yes. I know. Dual auth. Except in this case they were able to spoof dual auth too - because the users credentials were IMMEDIATELY used to access their accounts, and they got the EXPECTED DUAL AUTH NOTICE and approved it. Then in seconds their account was emptied of their money.
