Cloud Compliance
HIPAA in the Cloud
AWS, Azure & GCP Guide
Running PHI workloads in the cloud requires understanding the shared responsibility model, signing BAAs, and implementing cloud-specific security controls.
Major Cloud Providers
ðŸŸ
Amazon Web Services (AWS)
BAA Availability
Available via AWS Artifact
Coverage
100+ HIPAA eligible services
AWS HealthLakeKMS encryptionCloudTrail loggingVPC isolation
🔵
Microsoft Azure
BAA Availability
Included in Online Services Terms
Coverage
Most Azure services covered
Azure Health Data ServicesCustomer-managed keysAzure MonitorPrivate endpoints
🔴
Google Cloud Platform
BAA Availability
Available via Cloud Console
Coverage
All GCP services covered under BAA
Healthcare APICloud KMSCloud Audit LogsVPC Service Controls
Shared Responsibility Model
Cloud providers secure the infrastructure; you're responsible for securing your data and applications.
| Security Area | Cloud Provider | Customer |
|---|---|---|
| Physical Security | ✅ | — |
| Network Infrastructure | ✅ | — |
| Hypervisor Security | ✅ | — |
| OS Patching (managed services) | ✅ | — |
| OS Patching (IaaS) | — | ✅ |
| Application Security | — | ✅ |
| Data Encryption | — | ✅ |
| Access Management | — | ✅ |
| Audit Logging Config | — | ✅ |
| Backup & Recovery | — | ✅ |
Cloud HIPAA Best Practices
Sign BAA before storing PHI
Use only HIPAA-eligible services
Enable encryption at rest and in transit
Implement least privilege access
Enable comprehensive audit logging
Configure network isolation (VPC/VNet)
Use managed key services (KMS)
Enable multi-factor authentication
Regular security assessments
Document cloud architecture
Need Cloud HIPAA Guidance?
Our team can help you architect and secure HIPAA-compliant cloud environments.