In 2022, OCR settled with a health plan for $1.25 million after an investigation revealed that the organization had migrated protected health information to a cloud platform without executing a business associate agreement or verifying the vendor's security controls. The organization assumed the cloud provider's general security certifications were sufficient. They weren't. If your organization is evaluating a HIPAA compliant cloud provider, the lesson is clear: no certification badge or marketing claim substitutes for the due diligence HIPAA actually requires.

What Makes a Cloud Provider a HIPAA Compliant Cloud Provider

Here's the uncomfortable truth: no federal agency certifies a cloud vendor as "HIPAA compliant." OCR has stated explicitly that there is no such certification. When a cloud provider markets itself as HIPAA compliant, what it should mean is that the vendor is willing and able to meet the requirements of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule as they apply to business associates under 45 CFR Part 164.

In practical terms, a cloud provider handling PHI on your behalf becomes your business associate. That status triggers specific obligations — regardless of whether the provider ever views, processes, or interacts with the data directly. Even a provider offering storage-only services where PHI is encrypted must sign a business associate agreement (BAA) and maintain compliant security practices.

The Business Associate Agreement Is Non-Negotiable

Every covered entity I work with understands, at least conceptually, that a BAA is required. What many underestimate is the specificity that BAA must contain. Under 45 CFR § 164.314(a)(2), your BAA with a cloud provider must establish permitted uses and disclosures of PHI, require the provider to implement appropriate safeguards, mandate breach reporting, and address return or destruction of PHI at contract termination.

A generic terms-of-service document — even one that references HIPAA — does not satisfy this requirement. I've reviewed BAAs from major cloud platforms that leave critical gaps around incident notification timelines and subcontractor obligations. Your organization is responsible for ensuring the agreement meets regulatory standards before a single byte of PHI hits the cloud.

Five Security Controls to Verify Before Signing

Marketing pages from cloud vendors will list dozens of security features. Focus your evaluation on the controls that map directly to HIPAA Security Rule requirements under 45 CFR § 164.312:

  • Encryption at rest and in transit: Verify AES-256 encryption for stored data and TLS 1.2 or higher for data in motion. Encryption is an addressable implementation specification, but OCR expects covered entities to implement it unless a documented, equivalent alternative exists.
  • Access controls and audit logging: The provider must support unique user identification, automatic logoff configurations, and comprehensive audit logs that track who accessed PHI, when, and what actions were taken.
  • Backup and disaster recovery: Confirm the vendor's data backup frequency, recovery time objectives, and geographic redundancy. These map directly to the contingency plan standard at § 164.308(a)(7).
  • Incident detection and breach notification: The provider must have documented processes for detecting security incidents and notifying your organization within the timeframe specified in your BAA — ideally well within the 60-day Breach Notification Rule window.
  • Subcontractor management: Under the Omnibus Rule, your cloud provider must execute BAAs with its own subcontractors who handle PHI. Ask for documentation proving this chain of compliance exists.

Conduct Your Own Risk Analysis — Don't Rely on the Vendor's

One of the most common mistakes healthcare organizations make is treating a vendor's SOC 2 report or security whitepaper as a substitute for the risk analysis required under 45 CFR § 164.308(a)(1). Those documents are useful inputs, but they don't assess risk from your organization's perspective.

Your risk analysis must evaluate how PHI flows to and from the cloud environment, who within your workforce has access, how access is provisioned and revoked, and what residual risks remain even with the provider's controls in place. OCR has cited failure to conduct a thorough, organization-specific risk analysis in the majority of its enforcement actions — it remains the single most frequently violated HIPAA provision.

The Workforce Training Gap That Creates Cloud Liability

Migrating to a HIPAA compliant cloud provider introduces new workflows, new access points, and new risks that your workforce must understand. The Security Rule's workforce training requirement at § 164.308(a)(5) applies here directly. Staff who interact with cloud-hosted PHI need to understand how to authenticate properly, recognize phishing attempts targeting cloud credentials, and apply the minimum necessary standard when accessing records.

Generic annual training won't address these specifics. Organizations that invest in targeted HIPAA training and certification tailored to their actual technology environment see measurably lower incident rates. If your team is accessing PHI through a cloud portal, your training program must reflect that reality.

When OCR investigates a breach involving cloud-hosted PHI, investigators follow a consistent pattern. They request your executed BAA, your most recent risk analysis, evidence of workforce training, and documentation showing how you evaluated the provider's security posture before deployment.

If any of those elements are missing or outdated, your organization faces potential HIPAA violation penalties regardless of whether the cloud provider was actually at fault. OCR's enforcement framework holds covered entities accountable for their vendor oversight obligations. The provider's failure becomes your failure when due diligence wasn't performed.

Build a Vendor Evaluation Checklist Before You Compare Providers

Before reviewing a single cloud vendor's sales deck, document your requirements. Map your PHI data flows. Identify every system and user that will interact with the cloud environment. Define your acceptable risk thresholds. Then evaluate each potential HIPAA compliant cloud provider against those documented criteria — not against their competitors.

This approach transforms vendor selection from a marketing-driven decision into a compliance-driven one. It also creates the documentation trail OCR expects to see.

Cloud adoption in healthcare is accelerating, and the compliance risks are accelerating with it. The organizations that protect themselves are the ones that treat cloud migration as a regulatory event — not just an IT project. Comprehensive workforce HIPAA compliance programs and rigorous vendor management aren't optional extras. Under current OCR enforcement priorities, they're the baseline expectation.