HIPAA · Cloud Compliance
HIPAA in the Cloud
AWS, Azure & GCP Guide
Running PHI workloads in the cloud requires understanding the shared responsibility model, signing BAAs, and implementing cloud-specific security controls.
Each provider requires you to sign its Business Associate Agreement (BAA) and stay within its published HIPAA-eligible services before PHI touches the cloud.
45 CFR Part 164 · HHS OCR · Last reviewed June 2026
Direct Answer
You can run HIPAA-regulated PHI on AWS, Azure, or Google Cloud, but each provider first requires you to sign its Business Associate Agreement (BAA) and stay within its published list of HIPAA-eligible services. Cloud HIPAA works on a shared-responsibility model: the provider secures the infrastructure while you remain responsible for configuration, encryption, access control, and your application.
Pick Your Platform
Major Cloud Providers
Amazon Web Services (AWS)
BAA Availability
Available via AWS Artifact
Coverage
100+ HIPAA eligible services
Microsoft Azure
BAA Availability
Included in Online Services Terms
Coverage
Most Azure services covered
Google Cloud Platform
BAA Availability
Available via Cloud Console
Coverage
All GCP services covered under BAA
Who Owns What
Shared Responsibility Model
Cloud providers secure the infrastructure; you're responsible for securing your data and applications.
| Security Area | Cloud Provider | Customer |
|---|---|---|
| Physical Security | ✅ | — |
| Network Infrastructure | ✅ | — |
| Hypervisor Security | ✅ | — |
| OS Patching (managed services) | ✅ | — |
| OS Patching (IaaS) | — | ✅ |
| Application Security | — | ✅ |
| Data Encryption | — | ✅ |
| Access Management | — | ✅ |
| Audit Logging Config | — | ✅ |
| Backup & Recovery | — | ✅ |
Build It Right
Cloud HIPAA Best Practices
Side by Side
BAA & HIPAA-Eligible Services by Provider
All three major clouds support HIPAA workloads, but they differ in how you sign the BAA and how broadly eligibility is scoped. Always confirm a specific service against the provider's current eligibility list before placing PHI on it.
| Provider | How to sign the BAA | Eligible-service coverage | Healthcare-native service |
|---|---|---|---|
| AWS | Self-serve via AWS Artifact | 100+ HIPAA-eligible services | AWS HealthLake (FHIR) |
| Microsoft Azure | Included in the Online Services / Product Terms | Most Azure services covered | Azure Health Data Services |
| Google Cloud | Accept via Cloud Console | BAA covers all in-scope GCP services | Cloud Healthcare API |
HIPAA is enforced by the US Department of Health and Human Services. See the official HHS HIPAA portal. Provider-specific, deep-dive guides: AWS, Azure, and GCP.
Explore further
Frequently Asked Questions
Is AWS, Azure, or Google Cloud "HIPAA certified"?
No cloud provider is "HIPAA certified" — HIPAA is a compliance obligation, not a certification, and there is no official HIPAA certificate. What the major providers do is sign a Business Associate Agreement (BAA) and publish a list of HIPAA-eligible services. Compliance is a shared outcome: the provider covers the infrastructure, and you cover how you configure and use it.
Do I need a BAA with my cloud provider?
Yes. Before you store, process, or transmit PHI on AWS, Azure, or GCP, you must execute the provider's BAA. Without it, the provider has not agreed to its HIPAA obligations and your use of the platform for PHI is not compliant. The BAA also defines which services are in scope.
What is the shared responsibility model for HIPAA in the cloud?
The cloud provider secures the underlying infrastructure — physical data centers, networking, and the hypervisor. You are responsible for everything you control: encryption settings, identity and access management, audit logging, OS patching on IaaS, application security, and backups. Using a HIPAA-eligible service does not transfer those duties to the provider.
Does using a HIPAA-eligible service make my application compliant?
No. A HIPAA-eligible service simply means the provider will cover it under the BAA. You still have to configure it correctly — enable encryption at rest and in transit, restrict access to least privilege, turn on audit logging, isolate networks, and document it all in a Security Risk Assessment. Misconfiguration is the most common cause of cloud PHI exposure.
Which cloud is best for HIPAA workloads from India?
All three (AWS, Azure, GCP) support fully HIPAA-eligible architectures, so the right choice usually depends on your existing stack, the healthcare-specific services you need (such as AWS HealthLake, Azure Health Data Services, or the GCP Cloud Healthcare API), and your team's expertise. Tranquility Cybersecurity helps Indian teams pick and validate the right configuration for their US clients.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Security Rule
Administrative, physical and technical safeguards for ePHI.
Read moreBusiness Associate Agreements
What a BAA must contain and when you need one.
Read moreHIPAA Implementation
Phased compliance build for covered entities and business associates.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreSOC 2 for Healthtech
Where SOC 2 meets HIPAA for healthcare SaaS selling into the US.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours