HIPAA cloud security is the same HIPAA Security Rule applied to AWS, Azure, GCP, and SaaS. What changes is the line: provider, customer, Covered Entity, Business Associate. And the cadence: can your program produce continuous evidence for ePHI access, encryption, logging, recovery, and exceptions, or only a tidy annual attestation?
This guide turns HIPAA cloud security and compliance into an investigation built from Cloudaware fieldwork with healthcare clients; DevOps experts Valentin Kel and Igor K.; and fresh practitioner notes from Abhay Bhargav, Matt Lewis, and Sean Harris, checked against HHS, NIST SP 800-66 Rev. 2, AWS, Azure, and GCP guidance.
Inside, we follow the clues:
- Who signed the BAA, then let PHI touch an uncovered service?
- Where does Shared Responsibility stop helping and start incriminating?
- Can you reconstruct last Tuesday’s access path before the 60-day breach clock starts?
- What happens when shadow AI slips ePHI into a tool no one approved?
- Which controls expose the cloud threat landscape for ePHI first?
Key insights
- HIPAA cloud security is not a new rule. It is the HIPAA Security Rule applied to AWS, Azure, GCP, and the SaaS layer above them. The hard part is not interpreting HIPAA again. It is proving who owns each control when ePHI moves through cloud services, identities, logs, backups, and vendors.
- A signed BAA is not a compliance blanket. AWS, Azure, GCP, and SaaS providers can sign BAAs, but only specific services and configurations belong in scope. If ePHI lands in an unsupported service, public bucket, unmanaged log stream, or untracked data pipeline, the BAA will not rescue the architecture.
- Shared Responsibility is where most teams misread the map. Cloud providers handle data centers, hardware, hypervisors, and parts of platform security. Customers still own IAM, MFA, encryption settings, audit logs, retention, integrity controls, incident response, workforce access, and Subcontractor tracking.
- The controls that move the needle are boring on purpose. Access control, audit controls, integrity, transmission security, encryption, and workforce revocation carry most of the real risk. Fancy tooling cannot compensate for stale admin roles, disabled logs, missing key reviews, or backups no one has restored.
- Continuous evidence beats annual attestation. Audit prep should not mean three weeks of screenshots, exports, and Slack archaeology. Every ePHI-bearing asset needs a live trail: owner, BAA reference, control status, exemption history, ticket, review record, and last evidence timestamp.
- AI and cloud integrations expand HIPAA scope fast. Shadow AI, cloud-based faxing, analytics exports, support tools, and SaaS connectors can all become ePHI paths. Treat every data route like infrastructure: confirm the BAA, encrypt transport, log activity, assign ownership, and expire exceptions.
- The practical end state is simple: ask, “Show me every ePHI store without audit logging,” and get an answer in seconds. Not a meeting. Not a spreadsheet hunt. A query.
What HIPAA cloud security and compliance actually means
HIPAA cloud security and compliance is the operating discipline of running HIPAA Security Rule safeguards on cloud infrastructure: AWS, Azure, and GCP, and the SaaS layer above them, without inventing a separate program for the cloud.
HIPAA did not change because your workload moved out of a server room. The infrastructure model changed. The control ownership changed. The audit trail got messier.
That is where teams run into trouble.
A hospital can sign a BAA with AWS. A healthtech vendor can run on Azure. A payer analytics team can process ePHI in GCP. None of that makes the environment compliant on its own. AWS tells customers to process PHI only in HIPAA-eligible services under the AWS BAA.
Microsoft is just as direct: its BAA supports compliance, but using Microsoft services does not, on its own, achieve HIPAA compliance.
Google Cloud makes the same split: Google secures the infrastructure; the customer must configure and secure the environment and applications built on top.
The practical shift looks like this:
| In the data center | In cloud |
|---|---|
| Your team owns the facility, racks, media disposal, and server room access. | Much of §164.310 physical safeguards moves to the cloud provider’s data center operations. |
| Vendor review happens during procurement. | BAA scope has to stay tied to live services, accounts, regions, SaaS apps, APIs, and data flows. |
| Evidence can be collected around audit season. | Evidence has to be continuous because IAM, storage, workloads, logs, and exceptions change constantly. |
The four-party model matters more than most teams budget for.
A Covered Entity is the healthcare provider, payer, or clearinghouse. A Business Associate handles PHI or ePHI on its behalf. HHS treats a cloud service provider as a Business Associate when it creates, receives, maintains, or transmits ePHI for a Covered Entity or another Business Associate, even when the provider only stores encrypted ePHI and cannot decrypt it. A Subcontractor is the next party down the chain, and HHS treats that subcontractor as a Business Associate too when it handles PHI.
That last part is where I usually find the rot.
Teams track the hyperscaler BAA. They forget the SaaS layer. Salesforce Health Cloud, Veeva, ServiceNow Healthcare, support tools, data pipelines, backup vendors, AI tooling, and offshore engineering environments. One missed Subcontractor can turn a clean architecture diagram into fiction.
The way our CMDB tracks these elements, every ePHI-bearing asset carries the BAA reference and the Subcontractor chain alongside the standard inventory metadata.
Mature healthcare cloud security and compliance programs also map HIPAA to HITRUST, SOC 2, and occasionally GDPR when EU patient data enters the system. Not as parallel programs. As one control set, as evidenced once, mapped many ways.
This article does not re-teach HIPAA Security Rule requirements, the wider operating loop of healthcare data security best practices, or the cloud threat landscape for e-PHI. It covers the practical version: what HIPAA cloud security looks like when PHI lives across cloud accounts, SaaS platforms, logs, backups, identities, and vendors that no one wants to admit are in scope.
The part most teams get wrong: shared responsibility under HIPAA in the cloud
The most common HIPAA cloud security mistake is misreading the Shared Responsibility Model: assuming the cloud provider’s BAA covers more than it does or that the customer’s responsibility starts at the operating system. In real cloud security and HIPAA compliance work, both sides have jobs. Only one side usually answers to the auditor first.
I’ve seen the same failure pattern across healthcare cloud environments: the BAA exists, the architecture diagram looks clean, and then someone finds ePHI in a service, bucket, log stream, pipeline, backup, or SaaS connector no one mapped to the agreement.
That is the gap.
AWS publishes an AWS HIPAA Eligible Services list. Those services can create, receive, process, maintain, or transmit ePHI, but AWS is explicit that customers must still configure them consistent with HIPAA requirements. The list includes common services such as
- Compute: Amazon EC2, Lambda, Amazon EKS, ECS
- Storage & Data: Amazon S3, EBS, EFS, Amazon RDS, DynamoDB, Redshift
- Networking: CloudFront
- Security: KMS, CloudTrail, CloudWatch Logs, GuardDuty, Security Hub CSPM
- AI: Amazon Bedrock
AWS also notes that services not listed should not process or store ePHI.
Microsoft takes a similar position. A cloud service provider becomes a Business Associate when it creates, receives, maintains, transmits, or accesses PHI for a Covered Entity or Business Associate. Microsoft will enter into BAAs with eligible covered entity and business associate customers, but no HHS-approved “HIPAA certification” program makes a deployed Azure workload compliant by default.
Google Cloud is just as direct: Google supports HIPAA compliance within the scope of a BAA, but customers remain responsible for evaluating their HIPAA compliance and properly configuring the environments and applications built on Google Cloud. Google also tells customers to avoid using products not explicitly covered by the BAA when working with PHI.
So BAA-eligible means the provider can contractually cover that service.
It does not mean Amazon S3, Azure Blob, Azure SQL, BigQuery, Amazon RDS, or Cloud Healthcare API ships HIPAA-ready. A public Amazon S3 bucket containing ePHI is still a problem. So is disabled CloudTrail. So, it is an IAM role with broad access because “the app needed it during migration.” Cute story. Bad evidence.
Shared Responsibility for security compliance in cloud HIPAA environments:
| Layer | Who owns it under a cloud provider BAA | Evidence practitioners should maintain |
|---|---|---|
| Data centers, hardware, network: §164.310 physical safeguards | Provider: AWS, Azure, GCP. Their SOC reports and BAA cover this. | BAA, SOC report, cloud provider compliance artifacts. |
| Hypervisor, host OS, platform services | Provider | Provider assurance reports, not tenant screenshots. |
| Guest OS for IaaS workloads | Customer | Patch status, CIS baseline, EDR coverage, hardening exceptions. |
| Identity & access management: §164.312(a) | Customer | IAM policies, MFA enforcement, JIT elevation, access reviews. |
| Audit controls: §164.312(b) | Customer | CloudTrail, Azure Activity Logs, Cloud Audit Logs, retention policy, and review records. |
| Encryption at rest: §164.312(a)(2)(iv) | Customer | KMS settings, key ownership decisions, and CSP-managed keys vs. BYOK. |
| Encryption in transit: §164.312(e)(2)(ii) | Customer | TLS policy, certificate inventory, no downgrade exceptions. |
| Integrity: §164.312(c) | Customer | Immutable backups, object lock, checksum, or restore-test evidence. |
| Administrative safeguards: §164.308 | Customer | Risk analysis, workforce training, incident response plan, contingency plan. |
| BAA management & Subcontractor chain | Customer | Provider list, BAA status, eligible-services confirmation, renewal dates. |

Element of Cloudaware cloud security report. Schedule a demo to see it live.
We carry the BAA reference and the eligible-services confirmation for every ePHI-bearing asset in our CMDB. That makes a multi-cloud PHI asset register useful during real work, not just audit prep. The question “is this service configured under our BAA?” becomes a query, not a contract review.
HHS gives the clean boundary: a cloud service provider that creates, receives, maintains, or transmits ePHI for a Covered Entity or Business Associate is a Business Associate, even if it stores only encrypted ePHI and cannot decrypt it. A BAA is required, and the customer still has to conduct risk analysis and manage its controls.
That is the part practitioners should tattoo on the migration plan: Shared Responsibility is not responsibility sharing. It is worIt involves work-sharing with customer-side accountability when ePHI is sent to the wrong place.
Alla L. ITAM expert from Cloudaware
4 HIPAA-aligned cloud security best practices
HIPAA compliance cloud security best practices come down to four operating habits: contain access, keep usable evidence, prove ePHI can survive tampering, and secure every path data travels. In production, cloud security best practices and HIPAA compliance mean your AWS, Azure, GCP, and SaaS controls can answer one incident question fast: who touched what, when, and from where, and can we prove it?
HIPAA gives you the control families, not the cloud configuration. §164.312 covers access control, audit controls, integrity, transmission security, and encryption. §164.308 adds workforce security and activity review. Cloud turns those into IAM rules, log routing, key policies, immutable storage, owner records, retention settings, and exception expiry dates. Source: eCFR §164.312
1. Build access around ePHI, not org charts
Most bad access stories sound boring until legal joins the call: old admin role, forgotten service account, contractor still active, and MFA bypassed “just for migration.” That is why §164.312(a)(1) access control starts at the data store, not the job title.
| Access layer | Practitioner setup |
|---|---|
| Human access | IAM roles mapped to clinical or technical function. |
| Privileged access | JIT through AWS IAM Identity Center, Azure PIM, or GCP IAM Conditions. |
| MFA | No casual exception. Break-glass gets alerts, expiry, and reviews. |
| Workforce offboarding | Revoke cloud IAM, IdP groups, SaaS apps, VPN, support tools, and admin consoles within hours. |
Matt Lewis of Field Effect and Sean Harris of ITS frame the 2026 shift as policy to proof: after an incident, teams need to know what was accessed, how long the actor was inside, what data was touched, who was affected, and whether they can prove it. Source: HIPAA in 2026. Why “Compliant” Isn’t Enough Anymore.
Read our guide for healthcare data breaches examples. Access control failures rarely look cinematic. They appear to be permissions that were not cleaned up.
2. Treat logs as evidence, not exhaust
§164.312(b) audit controls require mechanisms that record and examine activity in systems containing or using ePHI. The word "examine" does real work. §164.308(a)(1)(ii)(D) information system activity review requires regular review of audit logs, access reports, and security incident records. Collecting logs no one reviews is not a security program. It is storage with ambition.
Cloud setup should be explicit:
- AWS: CloudTrail routed to durable storage, with alerting and review workflow.
- Azure: Azure Activity Logs routed to Microsoft Sentinel or Log Analytics.
- GCP: Google Cloud Audit Logs are fed into the Security Command Center or your SIEM.
Two gotchas matter in audits: Azure Activity Log events are retained for 90 days by default, and Google Cloud Data Access audit logs are disabled by default, except for BigQuery Data Access logs. Longer retention and more profound visibility are customer-side work. HIPAA documentation retention under §164.316(b)(2) is six years, so default cloud retention rarely matches evidence needs without configuration.
3. Prove ePHI can survive alteration, deletion, and ransomware
Encryption gets the budget slide. §164.312(c)(1) integrity gets the messy tabletop. HIPAA requires protection against improper alteration or destruction of ePHI, which means immutable backups, restore tests, checksum verification, and evidence that the recovered dataset is clean.
Use S3 Object Lock, Azure Immutable Blob, or GCS Bucket Lock for backup immutability. Add checksum verification for Tier 1 ePHI stores. Document restore tests by dataset, date, owner, and result.
Bad evidence: “Backups are enabled.”
Usable evidence: The claims database was restored from an immutable backup on June 14. Checksum passed. App owner approved.”
For encryption under §164.312(a)(2)(iv), use AWS KMS, Azure Key Vault, or Google Cloud KMS. Provider-managed keys can work for lower-risk tiers. Tier 1 ePHI needs a documented BYOK decision, key rotation policy, and KMS access review.
Read also: Google Cloud security best practices 2026
4. Secure every ePHI route, including the boring ones
§164.312(e)(1) transmission security covers ePHI moving across electronic communication networks. Use TLS 1.3 where supported, TLS 1.2 as the practical floor, and mTLS for service-to-service ePHI traffic. Legacy partner downgrade? Give it an owner, compensating control, and an expiry date. No immortal exceptions.
Cloud-based faxing HIPAA compliance security belongs in the same control family. Phaxio, SRFax, Concord, eFax Corporate, and similar services still transport ePHI when they interact with your cloud workflow. Confirm the BAA. Encrypt the route. Log sends and receives. Keep the audit trail. Fax stops being “old-school” the second it becomes an API call.
Abhay Bhargav of AppSecEngineer makes the training point practitioners recognize fast: compliance training prepares teams for audits but not always for attacks. The useful version is role-based, threat-based, and tied to the real healthcare SDLC: AppSec, cloud, DevSecOps, threat modeling, and secure-by-design work.
Each control maps to a continuous CSPM check that carries the asset, the owner from our CMDB, the §164.312 citation, and the exemption history. The answer to “show me access-control coverage for ePHI stores” is a query, not an assembly job.
For the broader operating model, see healthcare data security best practices. For the same discipline in a non-healthcare context, see cloud data security best practices.
Keep the lesson short: four well-executed controls are better than twelve controls that exist only in policy. Adam Zenedine and Gil Vidalis of HIPAA Vault land the cloud version cleanly: AWS, Azure, and GCP can all support HIPAA workloads, but compliance is a responsibility, not a feature.
Turn HIPAA cloud security into continuous evidence
Security and HIPAA compliance in the cloud only stay defensible when evidence runs continuously: every §164.312 control checks the live environment, writes the result to an audit trail, and feeds periodic evaluation under §164.308(a)(8). Annual attestation is where teams go to remember what they should have been proving all year.
I’ve lived through the ugly version.
Engineers pulling IAM screenshots. Compliance chasing log exports. DevOps reconstructing change tickets. Someone is asking whether the S3 encryption screenshot was taken before or after the exception expired. Nobody is doing risk management at that point. They are building a museum exhibit.
The better pattern is simpler: every control produces evidence as it runs. Access control under §164.312(a)(1), audit controls under §164.312(b), integrity under §164.312(c)(1), transmission security under §164.312(e)(1), and encryption under §164.312(a)(2)(iv) are all explicit Security Rule technical safeguard areas. In the cloud, each becomes a scheduled CSPM check, not an audit-season task. (eCFR)
| Continuous evidence object | What practitioners need captured |
|---|---|
| Asset | Account, region, service, environment, ePHI tier |
| Owner | CMDB owner, application owner, security owner |
| Control | HIPAA citation, test logic, framework mapping |
| Finding | Pass/fail, first seen, last seen, severity, SLA |
| Exemption | Approver, reason, compensating control, expiry |
| Review trail | Reviewer, timestamp, decision, linked ticket |

Element of Cloudaware cloud security report. Schedule a demo to see it live.
Matt Lewis and Sean Harris frame the operational test well in HIPAA in 2026: Why “Compliant” Isn’t Enough Anymore: after an incident, leaders need to answer what was accessed, how long the actor was inside, what data was touched, who was affected, and whether they can prove it. Their bluntest field note belongs in this section: “You can’t analyze logs that don’t exist.”
Cloud evidence should be routed like production work. A failed check opens a Jira or ServiceNow ticket. The ticket carries the asset, owner, control citation, SLA, and exemption history. Fix the configuration, and the finding closes. If you approve an exception, it gets an expiry date. Miss the expiry; it reopens. Cute PDF binders do not do that.
Cross-framework mapping is where the work stops feeling like HIPAA-only labor. The same evidence pipeline that proves HIPAA technical safeguards also supports HITRUST CSF, SOC 2 Type II Security, and GDPR Article 32 for the security of processing. GDPR cloud security and compliance are not parallel programs when the same controls already prove encryption, access, logging, and incident response.
Healthcare cloud security and compliance is the same work, evidenced differently for each framework. Our IT Compliance already maps to over 900 UCF authority documents, providing a pre-existing mapping for the auditor’s framework of choice.

Findings carry the CMDB context: asset, owner, environment, citation, exemption history. With continuous HIPAA evidence and CMDB-aware CSPM, the audit packet is a query, not an assembly. The same discipline supports an ISO 27001 risk assessment when the team needs a framework-aligned risk path.

Continuous evidence is not a dashboard decision. It shifts the weekly meeting from “what do we need for audit?” to “what changed, what failed, who owns it, and when does the exception expire?”
That is the shift. Less theater. More proof.
Igor, Cloudaware DevOps Engineer
Make HIPAA evidence ready before the auditor asks
Cloudaware helps cloud, security, compliance, and DevSecOps teams keep ePHI evidence tied to the asset that creates the risk.
Not in a spreadsheet.
Not in a screenshot folder.
Not in the engineer’s memory from last quarter’s AWS review.
Cloudaware’s CMDB gives teams visibility across AWS, Azure, GCP, VMware, Kubernetes, and SaaS, then connects that asset inventory with security, compliance, log, ownership, and workflow context. That matters for HIPAA because the auditor does not ask, “Do you have cloud tools?” They ask whether HIPAA Security Rule §164.312 controls are working for the systems that store, process, transmit, or log ePHI. Cloudaware positions its CMDB as a multi-cloud asset system for AWS, Azure, GCP, VMware, and SaaS, with auto-discovery and normalized inventory.

For healthcare teams, the value is direct: Find every ePHI-bearing asset. Prove the BAA scope. Show access, encryption, logs, findings, exceptions, and owners without rebuilding the evidence packet by hand.
That is the job.
| Cloudaware capability | What it helps prove in a HIPAA cloud environment |
|---|---|
| CMDB | A live ePHI asset register across AWS, Azure, GCP, Kubernetes, VMware, and SaaS. Use it to carry owner, environment, data tier, BAA reference, Subcontractor context, and linked findings on the asset record. Cloudaware states its platform supports 3,000+ cloud services and CI types. |
| CSPM | Continuous checks for misconfigurations that break evidence: public storage, missing logging, weak IAM, unencrypted assets, expired exceptions, risky network exposure. Cloudaware describes CSPM as enforcing cloud security controls with detailed CMDB configuration data. |
| IT Compliance | Evidence collection and assessment for HIPAA, HITRUST, SOC 2, GDPR, NIST 800-66, and internal policies. The practical win: one control result can support more than one framework instead of creating separate audit work. Cloudaware describes IT Compliance as automating evidence collection and assessment. |
| SIEM | Cloud log source discovery with CMDB context, so §164.312(b) audit controls can show which asset, owner, service, and environment produced the event. Cloudaware describes SIEM as centralized cloud logs with log source discovery and CMDB-enriched service logs. |
| Integrations | Route failed checks into Jira, ServiceNow, PagerDuty, Slack, or the workflow the team already uses. Findings need owners and closure, not another export. Cloudaware lists integrations with Jira and PagerDuty in its CMDB workflow context. |
The clean operating model looks like this:
Asset → owner → BAA → control → evidence → exception → ticket → export.
When someone asks, “show me every ePHI store without audit logging,” the answer should not require three engineers and a calendar invite.
It should be a query.