HIPAA Compliant Cloud: What Covered Entities Must Know

In 2022, OCR settled with a health plan for $875,000 after an investigation revealed that protected health information stored in a cloud environment lacked basic access controls and encryption. The organization assumed its cloud vendor was handling security. It wasn't. If your organization stores, processes, or transmits PHI in the cloud, understanding what actually constitutes a HIPAA compliant cloud environment is not optional — it's a regulatory requirement under the HIPAA Security Rule.

And yes, the correct spelling is HIPAA — the Health Insurance Portability and Accountability Act — though "HIPPA" remains one of the most common misspellings in healthcare compliance searches. Regardless of how you found this page, the requirements are the same.

What Makes a Cloud Environment HIPAA Compliant

No cloud platform is inherently HIPAA compliant. AWS, Google Cloud, and Microsoft Azure all offer infrastructure that can support compliance, but the configuration, policies, and agreements are what determine whether your use of that infrastructure meets HIPAA standards.

A HIPAA compliant cloud deployment requires three foundational elements:

• A signed Business Associate Agreement (BAA) between your covered entity (or business associate) and the cloud service provider, as required under 45 CFR §164.502(e) and §164.504(e).
• Technical safeguards mandated by the HIPAA Security Rule, including encryption at rest and in transit, unique user identification, access controls, and audit logging.
• Administrative and physical safeguards that address workforce access, incident response, and data center security — shared responsibilities between your organization and the cloud provider.

Without all three, your cloud environment is a liability, not an asset.

The Business Associate Agreement Requirement You Cannot Skip

OCR has been unambiguous on this point: any cloud service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate under the Omnibus Rule. That includes IaaS, PaaS, and SaaS providers — even if the vendor claims it never "looks at" the data.

In its 2016 cloud computing guidance, HHS stated that a CSP is a business associate even if it stores only encrypted PHI and does not hold the decryption key. The logic is straightforward: the entity has possession of PHI.

If your cloud provider refuses to sign a BAA, you cannot use that service for any workload involving protected health information. Full stop.

Encryption Standards OCR Expects in Cloud Deployments

The Security Rule at 45 CFR §164.312(a)(2)(iv) and §164.312(e)(2)(ii) treats encryption as an addressable specification. In practice, OCR treats the absence of encryption in cloud environments as a red flag during investigations.

For a HIPAA compliant cloud configuration, implement at minimum:

• AES-256 encryption at rest for all databases, storage buckets, and backups containing PHI.
• TLS 1.2 or higher for all data in transit between your systems, the cloud provider, and end users.
• Customer-managed encryption keys where possible, giving your organization — not the vendor — control over decryption.

Encryption alone doesn't equal compliance, but its absence almost guarantees a HIPAA violation finding during an OCR audit.

Risk Analysis: The Step Most Organizations Rush Through

Under 45 CFR §164.308(a)(1)(ii)(A), every covered entity and business associate must conduct a thorough risk analysis. When you move PHI to the cloud, the scope of that analysis expands significantly.

Healthcare organizations consistently struggle with cloud risk analysis because they treat it as a one-time checklist rather than an ongoing process. Your risk analysis must account for:

• Shared responsibility models — which security controls the cloud provider manages and which your organization owns.
• Multi-tenancy risks and logical data separation.
• API security, identity federation, and privileged access management.
• Data residency and jurisdiction — where PHI physically resides and which regulations apply.

Document everything. OCR investigators don't just want to see that you use a reputable cloud vendor. They want to see evidence that you evaluated the risks specific to your deployment and implemented reasonable safeguards.

The Workforce Training Gap That Creates Cloud Breaches

In my work with covered entities migrating to the cloud, the biggest vulnerability is rarely technical — it's human. Misconfigured storage buckets, overly permissive IAM roles, and employees accessing cloud-hosted PHI from unsecured devices account for a disproportionate share of breaches reported to HHS.

The HIPAA Security Rule at 45 CFR §164.308(a)(5) requires security awareness and training for your entire workforce. When your infrastructure moves to the cloud, your training program must evolve with it. Staff need to understand the minimum necessary standard when accessing cloud-hosted records, how to recognize phishing attempts targeting cloud credentials, and your organization's policies on approved devices and networks.

Investing in HIPAA training and certification that covers cloud-specific scenarios is one of the most cost-effective steps your organization can take. Generic annual training that ignores your cloud environment leaves your workforce — and your patients — exposed.

Building a Compliance-First Cloud Strategy

Moving to the cloud can strengthen your HIPAA compliance posture, but only if you treat compliance as a design requirement rather than an afterthought. Here's what I recommend to every organization I work with:

• Select cloud providers willing to sign a BAA and clearly document the shared responsibility model.
• Enable logging and monitoring on all cloud resources that touch PHI — CloudTrail, Azure Monitor, or equivalent.
• Automate compliance checks using cloud-native tools that flag misconfigurations before they become breach reports.
• Review access controls quarterly and revoke permissions for terminated workforce members immediately.
• Update your risk analysis annually or whenever you make significant changes to your cloud architecture.

A HIPAA compliant cloud environment is not a product you purchase. It's a state you achieve and maintain through documented policies, technical controls, vendor management, and continuous workforce education.

If your organization is evaluating its cloud compliance readiness, start with the fundamentals. HIPAA Certify's workforce compliance platform helps covered entities and business associates build the training foundation that regulators expect — including the cloud-specific competencies that matter in 2024 and beyond.