Cloud and HIPAA: A Practical Overview
Healthcare applications increasingly run on cloud infrastructure. HIPAA does not prohibit cloud hosting—but it requires covered entities and business associates to use vendors that sign a Business Associate Agreement (BAA) and adequately safeguard ePHI. Understanding which cloud services are HIPAA-eligible and how to configure them is essential.
What is a Business Associate Agreement (BAA)?
A BAA is a contract between a covered entity (or business associate) and a vendor that will create, receive, maintain, or transmit PHI. The BAA ensures the vendor agrees to:
- Use appropriate safeguards to protect ePHI
- Report breaches and security incidents
- Ensure subcontractors also agree to the same protections
- Make ePHI available to individuals and HHS as required
No BAA means the vendor cannot lawfully handle PHI.
Major Cloud Providers and HIPAA
AWS
AWS offers a BAA for its HIPAA-eligible services. You must enable BAA in the AWS Artifact console. Not all AWS services are HIPAA-eligible—only those explicitly listed (e.g., EC2, S3, RDS, Lambda with eligible configs).
Microsoft Azure
Azure offers a BAA through the Microsoft Business Associate Agreement. You must configure services per Azure's compliance documentation. Services like Azure SQL, Blob Storage, and App Service can be used in HIPAA-compliant architectures.
Google Cloud
Google Cloud offers a BAA for GCP and certain Workspace products. Review Google's HIPAA implementation guide for eligible services and configuration requirements.
Configuration Best Practices
- Enable encryption at rest and in transit for all storage and databases
- Use private networks, VPCs, and restrict public access
- Implement strict IAM policies (least privilege)
- Enable and protect audit logs
- Use managed services that support encryption and access controls
Conclusion
Cloud hosting is compatible with HIPAA when you use BAA-eligible services, configure them securely, and maintain your own compliance obligations. Choose providers that offer BAAs and follow their compliance guidance.
Need help architecting a HIPAA-compliant cloud solution? Contact TWO44 for healthcare technology consulting and development.
