Best HIPAA Cloud Hosting for ABA Therapy Apps (2026 Comparison)

We scored each provider on five criteria that matter for ABA therapy applications storing session notes, behavior data, intake forms, and billing records:

1. BAA availability — Can you sign a Business Associate Agreement before storing any PHI?
2. HIPAA-eligible service breadth — How many core services (compute, database, storage, logging) are explicitly covered?
3. Compliance tooling — Encryption defaults, IAM/RBAC, audit logs, key management, and configuration guardrails
4. ABA workload fit — Multi-location scheduling, real-time data collection, file uploads (insurance cards, assessments), and parent portal traffic patterns
5. Total cost of ownership — Monthly infrastructure for a typical 3-location ABA platform at 500–2,000 active clients

Reference architecture: client → API gateway → auth service → encrypted PostgreSQL → audit log store → BAA-covered third-party integrations. TWO44 deploys this pattern on AWS for ABA therapy platforms.

*Estimated monthly cost for a 3-location ABA platform (app servers, PostgreSQL, object storage, CDN, logging, backups). Actual costs vary by traffic, storage, and architecture. Hetzner estimate is for non-PHI tier only.

AWS is the default choice for HIPAA-compliant healthcare applications in 2026, and for good reason. Enable the BAA in AWS Artifact, restrict deployments to HIPAA-eligible services, and you get the broadest toolkit for ABA-specific workloads:

• Compute: ECS Fargate or EC2 for the application layer; Lambda for async jobs (authorization checks, notification dispatch)
• Database: RDS PostgreSQL with encryption at rest (AES-256), automated backups, and Multi-AZ for clinic uptime
• Storage: S3 with server-side encryption for intake documents, insurance cards, and ADOS assessment files
• Security: KMS for key management, CloudTrail for audit logging, WAF for parent portal protection
• Monitoring: CloudWatch with log retention policies aligned to HIPAA's six-year documentation requirement

Honest downsides: AWS billing is complex; misconfigured S3 buckets are the #1 HIPAA cloud violation; not every AWS service is HIPAA-eligible — you must check the list before deploying.

TWO44 deploys ABA platforms on AWS with signed BAAs, encrypted PostgreSQL, and role-based access separating RBT, BCBA, and admin roles. See our Autizum case study for a live reference architecture.

Azure offers a comprehensive BAA and HIPAA-eligible services that cover most ABA platform requirements. If your clinic or development team already runs on Microsoft 365, Azure AD, and Teams, the identity integration alone saves weeks of configuration.

• App Service or AKS for containerized ABA applications
• Azure SQL or PostgreSQL Flexible Server for encrypted patient records
• Blob Storage for document uploads with customer-managed keys
• Azure Key Vault for secrets and encryption key management
• Azure Monitor and Log Analytics for audit trails

Honest downsides: Smaller HIPAA-eligible catalog than AWS; Azure portal complexity; some healthcare SaaS integrations default to AWS-first.

GCP signs a BAA for covered services and provides a clean, developer-friendly platform. ABA organizations building custom analytics — goal progress dashboards, payer audit reports, multi-location KPI tracking — benefit from BigQuery integration without exporting PHI to non-eligible services.

• Cloud Run or GKE for application hosting
• Cloud SQL (PostgreSQL) with encryption and automated backups
• Cloud Storage for encrypted file uploads
• Cloud KMS for key management
• Cloud Logging with retention policies for audit compliance

Honest downsides: Fewer HIPAA-eligible services than AWS; smaller healthcare vendor ecosystem; fewer ABA-specific reference architectures available publicly.

TWO44 uses Hetzner for specific infrastructure workloads — and we want to be direct about where it fits. Hetzner does not offer a Business Associate Agreement and is not suitable for storing or processing PHI. Using Hetzner for patient records, session notes, or intake forms would be a HIPAA violation regardless of how well you configure encryption.

Where Hetzner excels in a HIPAA architecture:

• Marketing websites — Public clinic pages with no PHI (blog, service descriptions, contact forms that do not collect health data)
• CI/CD runners — Build pipelines that never touch production PHI
• Staging environments — Synthetic/de-identified test data only
• Static assets and CDN origin — Non-sensitive media and documentation

A hybrid architecture — HIPAA-eligible cloud (AWS/Azure/GCP) for PHI, Hetzner for non-PHI tiers — is a legitimate cost optimization strategy that TWO44 uses in production. The PHI boundary must be architecturally enforced, not just policy-documented.

Signing a BAA does not make your ABA app compliant. These configuration steps apply regardless of provider:

• Enable encryption at rest (AES-256) on every database and storage bucket containing PHI
• Enforce TLS 1.2+ for all data in transit; no HTTP endpoints
• Implement least-privilege IAM — RBTs, BCBAs, intake staff, and billing each get scoped roles
• Enable audit logging (CloudTrail, Azure Monitor, Cloud Logging) with tamper-resistant retention
• Block public access on all storage; use VPC/private networking for database connections
• Enable MFA for all admin and developer accounts
• Automate backup encryption and test restore procedures quarterly
• Document your architecture in a HIPAA risk assessment — OCR asks for this

For developer-focused technical requirements, see our guides on HIPAA web application requirements and HIPAA software development. For ABA-specific compliance, read the HIPAA guide for ABA therapy centers.