HIPAA Compliance for Cloud Computing: AWS, Azure & Google Cloud in 2026

Q: Is AWS HIPAA compliant?

AWS offers HIPAA-eligible services and will sign a BAA, but using AWS does not automatically make your deployment compliant. You must configure services properly and manage access controls.

Q: Do I need a BAA with my cloud provider?

Yes. Any cloud provider storing or processing PHI is a business associate under HIPAA and must sign a BAA.

Q: Can I store PHI in the cloud?

Yes, provided you use HIPAA-eligible services, have a BAA in place, properly configure encryption and access controls, and include the cloud environment in your SRA.

Quick Answer: Major cloud providers (AWS, Microsoft Azure, Google Cloud) all offer HIPAA-eligible services and will sign Business Associate Agreements. However, signing a BAA with your cloud provider does not automatically make your cloud deployment HIPAA compliant — compliance is a shared responsibility. Your organization is responsible for properly configuring services, managing access controls, encrypting data, and maintaining audit logs within the cloud environment.

The Shared Responsibility Model for HIPAA in the Cloud

Cloud HIPAA compliance operates on a shared responsibility model. The cloud provider is responsible for securing the underlying infrastructure — physical data centers, networking hardware, and hypervisor layers. Your organization is responsible for everything you put on top of that infrastructure — your applications, data, user access, encryption configuration, and compliance documentation.

This means that even with a signed Business Associate Agreement, your organization can still violate HIPAA through misconfigured cloud services, overly permissive access controls, unencrypted storage buckets, or inadequate logging.

HIPAA Requirements for Cloud Deployments

The core HIPAA requirements apply equally to cloud environments. You must encrypt all ePHI at rest and in transit (now mandatory under the 2026 Security Rule update). Implement role-based access controls with multi-factor authentication. Enable comprehensive audit logging for all PHI access. Conduct regular vulnerability assessments of your cloud infrastructure. And maintain backup and disaster recovery procedures that meet HIPAA’s availability requirements.

AWS and HIPAA Compliance

Amazon Web Services offers a comprehensive set of HIPAA-eligible services and will sign a BAA through its AWS Artifact portal. Key considerations include using only HIPAA-eligible services (not all AWS services qualify), enabling AWS CloudTrail for audit logging, configuring S3 bucket encryption and access policies, implementing AWS Identity and Access Management (IAM) properly, and leveraging AWS Config rules for continuous compliance monitoring.

Microsoft Azure and HIPAA Compliance

Microsoft Azure is widely used in healthcare and offers HIPAA BAAs as part of the Online Services Terms. Azure provides specific healthcare compliance blueprints, HIPAA/HITRUST compliance tools in Azure Policy, Azure Monitor and Log Analytics for audit trails, and Azure Active Directory for access management with conditional access policies.

Google Cloud and HIPAA Compliance

Google Cloud Platform offers BAAs for its core services and provides a healthcare-specific solution set. Google Cloud Healthcare API provides healthcare data management, Cloud Audit Logs track PHI access, VPC Service Controls provide network-level isolation, and Identity-Aware Proxy enables zero-trust access models.

Common Cloud HIPAA Compliance Mistakes

The most common mistakes we see in cloud HIPAA compliance include assuming the cloud provider handles everything (the shared responsibility gap), using non-HIPAA-eligible services for PHI processing, failing to encrypt data at rest in cloud storage, overly broad IAM permissions that violate minimum necessary, not enabling or monitoring audit logs, and skipping the cloud components in the annual Security Risk Analysis.

Your Cloud SRA: A Critical Step

Your Security Risk Analysis must include your cloud infrastructure. This means evaluating risks specific to cloud deployments including data residency, multi-tenancy risks, API security, third-party integrations, and disaster recovery capabilities. Many organizations conduct their SRA only for on-premises systems and miss their cloud footprint entirely — a significant compliance gap.

Understand what cloud HIPAA compliance typically costs and how it fits into your overall compliance budget. Review our 2026 HIPAA Compliance Checklist to ensure your cloud deployment doesn’t have gaps.

How Medcurity Helps with Cloud Compliance

Medcurity’s SRA platform includes cloud-specific risk assessment categories that help you evaluate your AWS, Azure, or Google Cloud deployment against HIPAA requirements. Our guided assessment ensures you don’t miss cloud-specific risks, and our remediation tracking helps you close gaps systematically.

Request a Demo to see how Medcurity simplifies HIPAA compliance for cloud-based healthcare organizations.

Frequently Asked Questions

Is AWS HIPAA compliant?

AWS offers HIPAA-eligible services and will sign a Business Associate Agreement, but using AWS does not automatically make your deployment HIPAA compliant. You are responsible for configuring services properly, managing access, encrypting data, and maintaining compliance documentation.

Do I need a BAA with my cloud provider?

Yes. Any cloud provider storing or processing PHI on your behalf is a business associate under HIPAA and must sign a BAA before you store any PHI in their infrastructure.

Can I store PHI in the cloud?

Yes, provided you use HIPAA-eligible cloud services, have a BAA in place with the provider, properly configure encryption and access controls, and include the cloud environment in your Security Risk Analysis.