Zero-knowledge cloud storage is becoming more and more common in the healthcare IT community. Vendors that encrypt files before they ever leave the customer’s device and have no decryption key of their own are increasingly being touted as a shortcut to compliance. The pitch is that if the provider doesn’t have physical eyes on protected health information (PHI), HIPAA obligations are reduced or eliminated.

The confusion is the result of a narrow provision in HIPAA called the conduit exception. It was intended for entities like the U.S. Postal Service and Internet service providers, businesses that only handle PHI when it's in transit, without any persistent storage. Some vendors, and even some compliance writers, have stretched that exception to cover cloud storage providers that use zero-knowledge encryption, on the reasoning that an inaccessible file is functionally the same as a file that was never stored at all.

 

What is zero-knowledge cloud storage?

Zero-knowledge cloud storage refers to a storage model where files are encrypted before they leave the customer’s device or controlled environment, and the cloud provider does not hold the decryption key needed to view the contents. The provider can store, sync, transmit, and preserve the encrypted files, but it can’t independently read the PHI inside them.

It makes zero-knowledge storage a legitimate security enhancement, especially for reducing insider access risk and limiting the damage of a vendor-side exposure. But it doesn’t change the underlying HIPAA analysis. The issue isn’t only whether the vendor can see the PHI; it is whether the vendor is maintaining ePHI on behalf of a covered entity or business associate.

A PLoS One review on cloud computing in healthcare explains why this distinction matters, noting that when electronic health records are stored on cloud servers, “Data ownership, access control, and security breaches become critical challenges.” Zero-knowledge encryption helps with access control, but it does not answer the ownership, governance, contracting, or accountability questions that HIPAA still requires covered entities and business associates to address.

 

Why zero-knowledge doesn’t mean no obligation

Duration of storage is what triggers business associate status. If an organization holds electronic PHI (ePHI) on behalf of a covered entity or business associate, then that organization is a business associate, even if it cannot access the data itself. If a HIPAA entity uses a cloud vendor to process or store ePHI without first signing a business associate agreement (BAA), they violate HIPAA, regardless of how strong the vendor’s encryption architecture is.

A cloud computing analysis published through JAMIA notes that HIPAA's Security Rule "contains 42 implementation specifications (table 2) that are sufficiently broad and complex to elicit the publication of multiple articles and books that attempt to explain and simplify them.” The implementation specifications span security administration, physical safeguards, and technical safeguards, including user identity management, activity audits, data integrity verification, and transmission security. Encryption satisfies one specification. It does not substitute for the other 41.

A separate Journal of Healthcare Engineering survey of eHealth cloud security challenges reinforces the due diligence point directly, advising organizations to ask, before signing with any provider, whether it is willing to sign a strong HIPAA BAA that imposes severe penalties for term violations. Zero-knowledge architecture is a security control. A signed BAA is a legal requirement. Neither is optional in place of the other, and neither, on its own, satisfies HIPAA.

 

Why encryption doesn’t change accountability

The appeal of zero-knowledge storage comes from the assumption that if a provider cannot read PHI, it should be treated like a transmission service rather than a custodian of the data. Peer-reviewed research on healthcare cloud computing points in the opposite direction. A 2024 review published in Heliyon explains that while cloud technologies improve security and scalability, they also introduce ongoing responsibilities around governance, privacy, and regulatory compliance because healthcare organizations remain accountable for information stored with third parties.

The authors note that cloud adoption requires “robust data governance frameworks, stringent security measures, and compliance with healthcare regulations.” HIPAA’s conduit exception was written for organizations that merely transport information in transit. A cloud storage provider, even one using zero-knowledge encryption, continues to maintain ePHI on behalf of a covered entity. Encryption may reduce the provider’s ability to view the data, but it does not eliminate the legal relationship created by persistent storage.

 

Where storage fits in the breach picture

Most of the breaches that Paubox tracked in December 2024 on the HHS breach portal were storage and server-side incidents. Network server breaches affected the most people with 3,119,320 affected, and email breaches were the second most common category, with 201,184 affected. Network server incidents were also the most common attack vector, with 33 reported that month.

Cloud storage is one of these places and wherever your bulk PHI resides, that is the highest value target. Using non-compliant cloud storage for PHI can lead to HIPAA violations, fines, and lawsuits. So vetting needs to go beyond the encryption spec sheet.

 

The bottom line

Zero-knowledge cloud storage is a real security improvement, and it can dramatically reduce insider risk and exposure from a vendor-side breach. What it can’t do is kick a provider out of the HIPAA business associate framework. The regulation around this is unchanged and unambiguous. If an entity stores PHI, encrypted or not, viewable or not, it is a business associate, and the paperwork requirements that go with that status apply, regardless of what the provider can technically see.

The eHealth cloud security explains why technical controls alone don’t resolve the governance issue. The authors write that cloud centralization “moves data ownership to the cloud service providers,” which means healthcare organizations can lose control over sensitive data if the relationship isn’t properly governed. The concern fits directly with HIPAA’s treatment of cloud storage providers. The risk is whether the vendor is maintaining PHI on behalf of a covered entity or business associate.

The practical discipline for compliance teams is the same that applies everywhere else in a HIPAA security program, i.e., check the BAA, understand what the contract actually covers, and don’t let a strong encryption story stand in for the administrative and physical safeguards HIPAA still requires alongside it.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

Can a healthcare organization use offshore cloud storage for PHI?

HIPAA doesn’t include a specific prohibition on storing ePHI outside the United States, but covered entities and business associates must account for geographic risks, enforceability, hacking threats, malware exposure, and other vulnerabilities in their risk analysis and risk management process.

 

Are cloud backups treated differently from active patient records?

If backup systems contain ePHI, they still need appropriate administrative, physical, and technical safeguards.

 

Does HIPAA set a universal medical record retention period?

The HIPAA Privacy Rule doesn’t set medical record retention periods; state law generally controls how long medical records must be retained.