Guidance on HIPAA Compliant Cloud Hosting

Home / Articles / Tech Blog / Guidance on HIPAA Compliant Cloud Hosting
Posted on March 12, 2020

More and more healthcare organizations are turning to HIPAA-compliant cloud hosting companies to help them complete their digital transformations and securely move their IT infrastructure, data, and applications to the cloud. Learn how to deploy a reference architecture for HIPAA in the AWS Cloud and stay HIPAA compliant.

Being on the cloud is critical today and critical for the future of healthcare organizations that are subject to HIPAA. A future where your network never becomes obsolete, and you never have to buy hardware again… There are no boundaries, and you can access your system from any device, from anywhere in the world, anytime.

Cloud-based environments significantly decrease your costs. Infrastructure hardware and maintenance costs are eliminated, while energy usage can be decreased. Simply put, cloud computing is a better way to run your business.

Healthcare IT environments require a level of care that goes above and beyond the norm. Cloud computing is not specifically mentioned in the HIPAA/HITECH texts. Still, it is covered by the HIPAA Privacy and Security Rules, and there are restrictions placed on the use of cloud services in connection with protected health information (PHI) and patient data.

So, what is HIPAA cloud hosting?


HIPAACloudIconsHealthcare organizations looking for secure HIPAA-compliant cloud hosting  and networking are increasingly turning to the cloud, which has quickly become a low-cost way to develop the complex infrastructure required to support a variety of critical organizational activities. 

Cloud hosting offers the healthcare industry many benefits, including cost savings, remote file sharing, custom applications, and expanded storage. It gives healthcare IT departments and digital health technology vendors the ability to create a robust and secure HIPAA-compliant infrastructure to store, back up, and maintain Protected Health Information (PHI).

When selecting a healthcare cloud provider, an organization needs to perform due diligence to ensure the information they are entrusting to this provider will be secured in accordance with the healthcare data regulations.

Guidance on HIPAA Compliant Cloud Hosting 1


The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy of sensitive patient information. Covered entities under the law include healthcare plans, healthcare clearinghouses, and certain types of healthcare providers.

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA requirements to business associates. A business associate is any service provider who has access to the Protected Health Information (PHI) of a covered entity.

According to security guidelines, anyone who develops platforms or applications for the Healthcare industry and deals with Protected Health Information (PHI) is required to meet national standards for the physical, administrative, and technical security of health information.

Does your business collect, store, or transmit PHI to a covered entity? Then you definitely should be HIPAA compliant. And probably, your business will require a HIPAA-compliant hosting cloud server.

Cloud vendors should provide a reliable and scalable computing platform that can support healthcare customers’ applications in a manner consistent with the following:

  1. Health Insurance Portability and Accountability Act (HIPAA)
  2. Health Information Technology for Economic and Clinical Health (HITECH)
  3. The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)


The fact that a cloud storage provider offers Business Associate Agreement (BAA), specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

This is how Amazon Web Services (AWS) explains it:   “Any AWS service can be used with a healthcare application, but only services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information under HIPAA.

In the AWS Cloud, security is shared between AWS and the customer, meaning that certain elements of security – such as physical security of the underlying infrastructure – are now the responsibility of AWS. Customers are still responsible for other aspects of security, such as the security measures used to protect your applications – which is no different than if your application was running in a traditional data center.”

Ultimately, the covered entity or business associate is the one responsible for making sure all its regulatory mandates are being followed.

HIPAA-covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. As you look for a compliant healthcare cloud, ask these key questions:

  1. Have they had an external assessment done by a third party?  
  2. Have they been assessed against the HIPAA Security Rule? 
  3. What assurance can they make in safeguarding your data? 


Below is an eleven-part checklist of the most important features a HIPAA-compliant cloud hosting environment should include:

  •  A robust firewall and intrusion prevention system.
  •  Encrypted VPNs for securely connecting to the cloud to access, upload, or download PHI.
  •  Robust encryption for data at rest.
  •  Strong authentication controls including multifactor authentication.
  •  Event log management to maintain an audit trail.
  •  Reliable data backups, offsite backup storage, and data recovery assistance.
  •  100% server availability and reliability, ideally with a 100% server uptime SLA.
  •  Data stored in HIPAA-compliant data centers.
  •  SSL certificates.
  •  SSAE 18 certification.
  •  Business associate agreement (BAA).


HIPPA AWSCloud hosting providers like Amazon Web Services (AWS) enable entities and their business associates, subject to HIPAA. You can use AWS to build applications that store, process, and transmit sensitive health-related information, consistent with your privacy and security obligations under frameworks such as the US Health Insurance Portability and Accountability Act (HIPAA), and the Federal Risk and Authorization Management Program (FedRAMP).

AWS offers a comprehensive set of features and services to make key management and encryption of PHI easier to manage and simpler to audit, including the AWS Key Management Service. Customers with HIPAA compliance requirements have a great deal of flexibility in how they meet encryption requirements for PHI.


Under HIPAA, AWS is considered a business associate. As a business associate, before a healthcare entity can use AWS, it must first secure a business associate agreement (BAA). That is a key component to HIPAA compliance between a covered entity and a business associate. The BAA contract clarifies how your HIPAA obligations will be shared with AWS. 

To be considered HIPAA compliant, AWS must be used properly by all users within an organization. It is so common to make configuration mistakes that will leave PHI unprotected and accessible by unauthorized individuals violating HIPAA rules.

Administrators must pay close attention to security and ensure that they don’t give access to data to users who should not have access.

Customers can use any AWS service in HIPAA-compliant applications. However, only the HIPAA-eligible services defined in AWS’s BAA can be used to process, store, and transmit personally-identifiable patient data.  

So, is AWS 100% HIPAA Compliant cloud hosting? Yes. They are secure by default. Since AWS satisfies all HIPAA requirements, business analysts conclude that they are, in fact, a HIPAA-compliant cloud vendor. With a signed business associate agreement (BAA) and proper configuration, AWS is HIPAA compliant. Just don’t forget to sign a BAA with them.


Meeting HIPAA compliance is challenging – and that’s putting it lightly. Whatever your technical requirements, a cloud vendor can advise you on hosting solutions that have all been audited by a qualified independent third party and come with round-the-clock monitoring and support.

DevCom turns HIPAA compliance on public infrastructure providers into a solved problem. We enable secure clinical data exchange between mission-critical digital health applications

Having 15+ years of relationships with key Clients in the Healthcare industry, we have an excellent expertise. Our professional DevOps engineers can share experience on how to securely host your healthcare project so you can focus on the business.

We help digital companies like yours deploy HIPAA-compliant web applications on AWS.

➤Migrate your application to the Cloud.

➤Improve the scalability and security of your infrastructure.

➤Guide your team to adopt AWS DevOps practices.


What necessary infrastructure components do you use for building a HIPAA-compliant network?

To create a HIPAA-compliant network, it is necessary to include secure HIPAA-compliant cloud servers, encrypted data storage, and reliable backups to your infrastructure. Altogether it guarantees data privacy and protection.

How do you explain the differences between HIPAA-compliant hosting services and standard managed services?

Our HIPAA-compliant hosting healthcare cloud services provide extra security measures. These measures include data encryption, frequent backups, and strict access controls. As a result, it protects your sensitive data at all times. In contrast, standard managed services may not provide the same level of security.

How do I verify that your company has implemented HIPAA compliance measures?

At DevCom, we’re happy to provide you with documentation and evidence of our HIPAA compliance measures. It contains our policies, procedures, and audit reports. So you can feel calm and confident that your data is in good hands with us.

Do you provide a BAA (Business Associate Agreement) to your clients?

Of course! We always provide our clients with a BAA that outlines our responsibilities for securing their sensitive data and ensuring compliance with HIPAA regulations.

What methods do you use to ensure regulatory compliance with HIPAA?

Regulatory compliance with HIPAA is of high concern for the DevCom team. We use a range of methods, including regular staff training, third-party audits, and continuous monitoring. This way, our team keeps up with trends of the latest regulations and guidelines.

How do you respond to a security breach in your cloud hosting services?

If any security breach were to occur in our cloud HIPPA hosting services, we have a well-defined incident response process in place. First of all, we identify and locate the breach. The next step is notifying all affected parties. And finally, we conduct a thorough investigation and implement remediation measures to prevent any kind of future incidents.

Does your company have a dedicated HIPAA compliance officer, and what are their responsibilities?

Yes, there is a dedicated HIPAA compliance officer on our team. They are responsible for ensuring that our organization complies with all HIPAA regulations. They also conduct regular audits and risk assessments. Moreover, they follow any changes to the regulations to stay up-to-date. These steps help maintain our high standards of data privacy and security.

Which hosting providers do not offer HIPAA-compliant services?

It’s not an easy question to answer. From our perspective, each provider may have their own reasons for not doing so. So, it’s important to thoroughly research potential providers and ask questions about their security measures. This way, you are able to check out if they meet your organization’s specific HIPAA compliance needs.

Are there any potential penalties for violating HIPAA regulations?

Yes, there are penalties for violating HIPAA regulations. They may vary from hefty fines and loss of reputation to even criminal charges in some cases. If you don’t want to get any of them, do your best to implement robust security measures and always be in compliance with the latest HIPAA regulations and guidelines.

What security features does cloud storage need to be HIPAA-compliant?

HIPAA-compliant cloud storage needs to have a range of security features. As mentioned earlier, it includes data encryption, access controls, audit trails, and regular backups. Altogether, these features create a comprehensive approach to security that leads to minimized risks of data breaches and helps maintain compliance with HIPAA regulations.

What is the purpose of a BAA in relation to HIPAA compliance?

A BAA (Business Associate Agreement) is a legal contract between an entity and a business associate that outlines the responsibilities and requirements for safeguarding PHI (protected health information) to comply with HIPAA regulations. Having a BAA not only helps ensure that both parties are meeting their obligations under HIPAA but also provides an additional level of protection for sensitive patient data. What is more, it can help minimize the risk of any legal or financial penalties.

How do HIPAA regulations impact app hosting?

HIPPA regulations have a significant impact on app hosting as they require all personal health information (PHI) to be kept secure and confidential. This means that HIPAA app hosting providers need to have appropriate measures in place to protect PHI, like the following: encryption and access controls. It makes sure nothing is compromised or disclosed inappropriately.


Contact DevCom - custom software development company


Don't miss out our similar posts:

Let’s discuss your project idea

In case you don't know where to start your project, you can get in touch with our Business Consultant.

We'll set up a quick call to discuss how to make your project work.