Why cloud changes HIPAA compliance (but not obligations)

Cloud adoption is standard in modern healthcare—from EHR hosting to telehealth platforms to analytics pipelines. HIPAA compliance in cloud-based healthcare still requires the same Privacy Rule and Security Rule outcomes: protect PHI, limit uses and disclosures, and respond appropriately to incidents.

What changes is how you implement controls. Responsibility is shared between your organization and cloud providers. Misconfigured storage, missing BAAs, and unclear subprocessors remain leading sources of healthcare breaches.

This guide covers shared responsibility, technical safeguards, migration practices, and vendor diligence for cloud environments handling ePHI.

Related guides:

Securing ePHI in cloud healthcare environments

GIF via GIPHY

Key takeaways

HIPAA obligations stay with covered entities and business associates—cloud providers do not "become compliant" on your behalf without your configuration and governance.
Execute a BAA before PHI enters HIPAA-eligible services.
Encryption, access control, and logging are your responsibility even when the cloud provides the tools.
Subprocessors and regions matter for data residency, breach response, and vendor reviews.
Continuous configuration monitoring prevents public bucket and mis-IAM incidents.

Shared responsibility model for HIPAA in the cloud

Major cloud providers publish shared responsibility models. For HIPAA:

Layer	Cloud provider typically responsible	Customer typically responsible
Physical data centers	Facility security, hardware	—
Hypervisor / core infrastructure	Platform security	—
Network controls (available tools)	Providing VPC, firewalls, private links	Configuring rules correctly
Identity and access	Providing IAM, MFA capabilities	Role design, least privilege, reviews
Encryption	Providing encryption services	Enabling encryption, key management choices
Applications & PHI	—	Secure SDLC, PHI logic, minimum necessary
Logging & monitoring	Providing log services	Enabling logs, retention, alert review
Incident response	Platform incident comms	Your breach assessment and patient notification

Document which controls your team owns in a HIPAA cloud responsibility matrix attached to your risk analysis.

BAAs and HIPAA-eligible cloud services

Not every cloud product is appropriate for PHI. Providers often designate HIPAA-eligible services that can be used with a BAA.

Best practices:

Sign BAAs with cloud providers before storing or processing ePHI
Maintain a list of in-scope services (compute, storage, databases, messaging)
Block use of non-eligible services (consumer file sync, non-BAA analytics) via policy and technical guardrails
Review subprocessor lists and data processing locations
Include cloud providers in your vendor inventory with renewal and assessment dates

Using HIPAA-eligible services without proper configuration still yields breaches—eligibility is necessary, not sufficient.

Technical safeguards for ePHI in cloud environments

Map Security Rule expectations to cloud controls:

Access control

Central identity provider with MFA
Role-based access to PHI environments
Just-in-time admin access where possible
Separate production and non-production; avoid real PHI in dev/test

Encryption

Encrypt ePHI at rest with managed or customer-managed keys
TLS 1.2+ for data in transit
Document key rotation and access to keys

Audit controls

Enable cloud audit logs (API activity, admin changes)
Forward logs to SIEM with retention meeting policy
Alert on public exposure changes and IAM policy edits

Integrity and transmission security

Validate backup integrity and restore testing
Use private networking for service-to-service PHI flows
Sign and scan containers/images in healthtech pipelines

Control area	Example cloud services (generic)	Evidence to retain
Encryption	Object storage encryption, database TDE	Config screenshots, policy docs
Network	Private subnets, security groups	Architecture diagrams
Logging	Audit trails, VPC flow logs	Sample review tickets
Backup	Snapshots, cross-region replication	Restore test records

Cloud migration checklist for healthcare organizations

Before migrating workloads with ePHI:

Inventory PHI in source systems and integrations
Execute/update BAAs with cloud and migration vendors
Design target architecture with least privilege and encryption defaults
Plan cutover minimizing PHI duplication and stray copies
Validate logging and monitoring before go-live
Update risk analysis and policies for new environment
Train workforce on new access patterns and support procedures
Run post-migration access review within 30 days

Decommission legacy systems with certified media sanitization or destruction procedures.

Multi-tenant SaaS and healthtech considerations

Many healthcare teams use multi-tenant SaaS instead of self-managed cloud. Additional diligence includes:

Tenant isolation architecture reviews
Data segregation guarantees in contracts
Support access controls (who at vendor can see PHI, under what approvals)
Penetration test summaries and remediation status
Uptime and disaster recovery commitments aligned with clinical needs

Healthtech vendors must treat customer environments as regulated workloads—configuration drift in one tenant can affect trust across the customer base.

Monitoring, logging, and incident response in the cloud

Cloud breaches often stem from misconfiguration, not sophisticated attacks.

Ongoing practices:

Continuous CSPM (cloud security posture management) or equivalent checks
Alerts on public S3/Blob containers, open security groups, disabled logging
Immutable audit trails for admin actions
Runbooks linking cloud incidents to HIPAA breach assessment workflows
Forensic snapshots and log preservation procedures for investigations

Test incident response with scenarios like ransomware on backup systems or compromised admin credentials.

Common cloud HIPAA pitfalls

Pitfall	Consequence	Prevention
PHI in non-BAA services	Privacy Rule violation	Service allowlists, procurement gates
Over-permissive IAM roles	Large blast radius	Least privilege, periodic reviews
Missing encryption on backups	Unsecured PHI	Encrypt backups; test restores
Shadow IT file sharing	Uncontrolled disclosures	DLP, workforce training
Stale vendor assessments	Unknown subprocessors	Annual reviews, change notifications
Real PHI in lower environments	Avoidable exposure	Synthetic data, tokenization

Manage cloud HIPAA compliance with SecureSlate

Cloud environments change daily. SecureSlate helps teams keep HIPAA evidence aligned with reality.

SecureSlate helps teams:

Link cloud systems to PHI inventories and control owners
Track BAAs, subprocessors, and vendor assessments
Run recurring access reviews and policy workflows
Maintain audit-ready documentation for migrations and customer reviews

Get started for free to operationalize HIPAA across cloud and SaaS stacks.

FAQ

Is public cloud HIPAA compliant by default?

No. Cloud providers offer HIPAA-eligible services and BAAs, but customers must configure safeguards and govern usage.

Do we need a BAA with our cloud provider?

Yes, when the provider is a business associate creating, receiving, maintaining, or transmitting ePHI on your behalf.

Can we use consumer cloud apps for PHI?

Generally no—not without appropriate BAA-covered enterprise offerings and controls. Consumer tiers typically lack HIPAA commitments.

Who is responsible for encryption in the cloud?

Customers must enable and manage encryption appropriately, even when the provider supplies encryption features.

How often should we review cloud configurations for HIPAA?

Continuous automated monitoring plus formal quarterly reviews is a common pattern for high-risk environments.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to HIPAA and related regulations, you should consult a licensed attorney.

HIPAA compliance in cloud-based healthcare: a guide to ePHI, BAAs, and shared responsibility