HIPAA and Cloud: The Reality
HIPAA was written in 1996, long before cloud computing existed. The Security Rule (2003) and subsequent guidance have been adapted to cover modern infrastructure, but the regulation itself doesn't prescribe specific technologies. This means cloud compliance is about demonstrating that your implementation satisfies the regulatory requirements — not checking boxes on a cloud-specific list.
All three major cloud providers — AWS, Azure, and GCP — offer HIPAA-eligible services and will sign Business Associate Agreements (BAAs). But signing a BAA is the starting point, not the finish line. The shared responsibility model means the cloud provider secures the infrastructure; you secure everything you build on top of it.
Business Associate Agreements
Before processing ePHI in any cloud environment, you need a BAA in place with the provider. This is non-negotiable.
- AWS: Accepted through AWS Artifact. Covers HIPAA-eligible services only — not all AWS services are covered. Maintain an up-to-date list of which services you use that fall under the BAA.
- Azure: Included in the Microsoft Online Services Terms for in-scope services. Check the Azure compliance documentation for the current list of HIPAA-covered services.
- GCP: Accepted through the Google Cloud console. Like AWS, only specific services are covered. Verify each service you use against the BAA scope.
Access Control (§ 164.312(a))
Core access control requirements and how they map to cloud implementations:
- Unique user identification: Every person accessing ePHI needs a unique identifier. In cloud terms: individual IAM users or federated identities. No shared accounts, no shared credentials, no generic service accounts for human access.
- Emergency access procedure: Document and test a break-glass procedure. Sealed credentials in a secure vault with monitoring and alerting when accessed.
- Automatic logoff: Session timeouts on all systems that access ePHI. For web applications, enforce idle timeouts at the application layer. For console access, use session duration limits on IAM roles.
- Encryption and decryption: ePHI must be encrypted at rest. Use KMS-managed keys (AWS KMS, Azure Key Vault, GCP Cloud KMS) with appropriate key rotation policies.
Audit Controls (§ 164.312(b))
You must implement mechanisms to record and examine activity in systems containing ePHI:
- Cloud-level logging: Enable CloudTrail (AWS), Activity Log and Diagnostic Settings (Azure), or Cloud Audit Logs (GCP) across all accounts and projects. Log to a centralized, immutable store.
- Application-level logging: Log all access to ePHI at the application layer — who accessed what record, when, and from where. These logs are critical for breach investigation.
- Log retention: HIPAA requires 6-year retention for documentation. Your audit logs should follow the same retention policy. Use lifecycle policies (S3 Glacier, Azure Cool/Archive tier, GCS Nearline/Coldline) to manage cost.
- Log review: Automated log analysis with alerting for anomalous access patterns. SIEM integration is the practical implementation.
Integrity Controls (§ 164.312(c))
- Data integrity verification: Use checksums and versioning on ePHI stored in object storage. Enable S3 versioning, Azure Blob versioning, or GCS object versioning.
- Database integrity: Enable audit logging on all databases containing ePHI. Use point-in-time recovery capabilities for RDS, Azure SQL, or Cloud SQL.
- Immutable backups: Backup ePHI to write-once storage. S3 Object Lock, Azure Immutable Blob Storage, or GCS retention policies with bucket lock.
Transmission Security (§ 164.312(e))
- Encryption in transit: TLS 1.2+ on all connections. This includes internal API calls, database connections, and inter-service communication — not just external endpoints.
- VPC/network isolation: ePHI workloads should run in private subnets with no direct internet access. Use VPC endpoints (AWS), Private Endpoints (Azure), or Private Service Connect (GCP) for cloud service communication.
- Certificate management: Use ACM (AWS), App Service Certificates (Azure), or managed certificates for TLS. Automate renewal to prevent expiry-related outages or fallback to unencrypted connections.
Administrative Safeguards
Technical controls are only half the picture. HIPAA also requires documented administrative safeguards:
- Risk assessment: Annual risk assessment covering all systems that process ePHI. Document identified risks, mitigation plans, and accepted residual risk with business justification.
- Workforce training: Security awareness training for all employees with access to ePHI. Document training completion and content. Conduct phishing simulations.
- Incident response: Documented breach notification procedures. HIPAA requires notification within 60 days of discovery for breaches affecting 500+ individuals. Smaller breaches must be reported annually.
- Contingency planning: Data backup plan, disaster recovery plan, and emergency mode operation plan. Test these annually and document the results.
The Compliance Checklist
A condensed checklist for your cloud HIPAA implementation:
- ☐ BAA signed with cloud provider
- ☐ Only BAA-covered services used for ePHI
- ☐ Individual IAM identities (no shared accounts)
- ☐ MFA enforced on all human access
- ☐ ePHI encrypted at rest with managed keys
- ☐ TLS 1.2+ on all connections (internal and external)
- ☐ ePHI workloads in private subnets
- ☐ CloudTrail / Activity Log / Audit Log enabled and centralized
- ☐ Application-level ePHI access logging
- ☐ 6-year log retention configured
- ☐ Automated anomaly detection on access logs
- ☐ Object versioning enabled on ePHI storage
- ☐ Immutable backups configured and tested
- ☐ Annual risk assessment documented
- ☐ Incident response plan tested
- ☐ Workforce training completed and documented
- ☐ Disaster recovery plan tested
ComplyWise automates HIPAA evidence collection across cloud providers and maps findings to specific regulation sections. Start your free trial →