Guidance on HIPAA Compliant Cloud Hosting

Home / Articles / Tech Blog / Guidance on HIPAA Compliant Cloud Hosting
Posted on March 12, 2020

More and more healthcare organizations are turning to HIPAA compliant cloud hosting companies to help them complete their digital transformations and securely move their IT infrastructure, data, and applications to the cloud. Learn how to deploy a reference architecture for HIPAA in the AWS Cloud and to stay HIPAA compliant.


Being on the cloud is critical today, and critical for the future of the healthcare organizations that subject to HIPAA. A future where your network never becomes obsolete, and you never have to buy hardware again… There are no boundaries, and you can access your system from any device, from anywhere in the world, anytime.

Cloud-based environments significantly decrease your costs. Infrastructure hardware and maintenance costs are eliminated while energy usage can be decreased. Simply put, cloud computing is a better way to run your business. 

Healthcare IT environments require a level of care that goes above and beyond the norm.  Cloud computing is not specifically mentioned in the HIPAA/HITECH texts, but it is covered by the HIPAA Privacy and Security Rules and there are restrictions placed on the use of cloud services in connection with protected health information (PHI) and patients data.

Secure Cloud Hosting for Healthcare Organization: Does the Perfect One Exist?

HIPAACloudIconsHealthcare organizations looking for secure HIPAA compliant cloud hosting and networking, are increasingly turning to the cloud, which has quickly become a low-cost way to develop the complex infrastructure required to support a variety of critical organizational activities.  

Cloud hosting offers the healthcare industry many benefits, including cost savings, remote file sharing, custom applications, and expanded storage. It gives healthcare IT departments and digital health technology vendors the ability to create a robust and secure infrastructure to store, back up and maintain Protected Health Information (PHI).  

When selecting a healthcare cloud provider, an organization needs to perform due diligence to ensure the information they are entrusting to this provider will be secured in accordance with the healthcare data regulations.


Guidance on HIPAA Compliant Cloud Hosting 1

Why HIPAA Applies to Cloud Storage

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy of sensitive patient information. Covered entities under the law include healthcare plans, health care clearinghouses, and certain types of healthcare providers.

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA requirements to business associates. A business associate is any service provider who has access to the Protected Health Information (PHI) of a covered entity. 

According to security guidelines, anyone who develops platforms or applications for the Healthcare industry and deal with Protected Health Information (PHI)  are required to meet national standards for the physical, administrative, and technical security of health information.

Does your business collect, store, or transmit PHI to a covered entity? Then you definitely should be HIPAA compliant. And probably, your business will require a HIPAA compliant hosting cloud server.

Cloud vendors should provide a reliable and scalable computing platform that can support healthcare customers’ applications in a manner consistent with:

  1. Health Insurance Portability and Accountability Act (HIPAA)
  2. Health Information Technology for Economic and Clinical Health (HITECH)
  3. The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)

Your Cloud Vendor’s HIPAA Certification is Not Enough

The fact that a cloud storage provider offers Business Associate Agreement (BAA), specific administrative and security controls and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

This is how Amazon Web Services (AWS) explains it:  “Any AWS service can be used with a healthcare application, but only services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information under HIPAA.

In the AWS Cloud, security is shared between AWS and the customer, meaning that certain elements of security – such as physical security of the underlying infrastructure – are now the responsibility of AWS. Customers are still responsible for other aspects of security, such as the security measures used to protect your applications – which is no different than if your application was running in a traditional data center.”

Ultimately, the covered entity or business associate is the one responsible for making sure all its regulatory mandates are being followed.

HIPAA covered entities, and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. As you look for a compliant healthcare cloud, ask these key questions: 

  1. Have they had an external assessment done by a third party? 
  2. Have they been assessed against the HIPAA Security Rule? 
  3. What assurance can they make in safeguarding your data? 

Key Features of HIPAA Compliant Cloud Hosting

Below is an eleven-part checklist of the most important features a HIPAA-compliant cloud hosting environment should include:

  •  A robust firewall and intrusion prevention system.
  •  Encrypted VPNs for securely connecting to the cloud to access, upload, or download PHI.
  •  Robust encryption for data at rest.
  •  Strong authentication controls including multifactor authentication.
  •  Event log management to maintain an audit trail.
  •  Reliable data backups, offsite backup storage, and data recovery assistance.
  •  100% server availability and reliability, ideally with a 100% server uptime SLA.
  •  Data stored in HIPAA-compliant data centers.
  •  SSL certificates.
  •  SSAE 18 certification.
  •  Business associate agreement (BAA).

Is AWS HIPAA Compliant Cloud Hosting ?

HIPPA AWSCloud hosting providers like Amazon Web Services (AWS) enable entities and their business associates, subject to HIPAA. You can use AWS to build applications that store, process, and transmit sensitive health-related information, consistent with your privacy and security obligations under frameworks such as the US Health Insurance Portability and Accountability Act (HIPAA), and the Federal Risk and Authorization Management Program (FedRAMP). 

AWS offers a comprehensive set of features and services to make key management and encryption of PHI easier to manage and simpler to audit, including the AWS Key Management Service. Customers with HIPAA compliance requirements have a great deal of flexibility in how they meet encryption requirements for PHI. 

What’s Covered Under a BAA with AWS HIPAA Compliance?

Under the HIPAA, AWS is considered a business associate. As a business associate, before a healthcare entity can use AWS, they must first secure a business associate agreement (BAA). That is a key component to HIPAA compliance between a covered entity and a business associate. The BAA contract clarifies how your HIPAA obligations will be shared with AWS. 

To be considered HIPAA compliant, AWS must be used properly by all users within an organization. It is so common to make configuration mistakes that will leave PHI unprotected and accessible by unauthorized individuals violating HIPAA rules. 

Administrators must pay close attention to security, and ensure that they don’t give access to data to users who should not have access.

Customers can use any AWS service in HIPAA-compliant applications. However, only the HIPAA-eligible services defined in AWS’s BAA can be used to process, store, and transmit personally-identifiable patient data. 

So, is AWS 100% HIPAA Compliant cloud hosting? Yes. They are secure by default. Since AWS satisfies all HIPAA requirements, business analysts conclude that they are, in fact, a HIPAA compliant cloud vendor. With a signed business associate agreement (BAA) and proper configuration, AWS is HIPAA compliant. Just don’t forget to sign a BAA with them.

Build Secure and Scalable AWS Cloud Hosting Infrastructure

Meeting HIPAA compliance is challenging – and that’s putting it lightly. Whatever your technical requirements, a cloud vendor can advise you on hosting solutions that have all been audited by a qualified independent third party and come with round-the-clock monitoring and support.

DevCom turn HIPAA compliance on public infrastructure providers into a solved problem. We enable secure clinical data exchange between mission-critical digital health applications

Having 15+ years of relationships with key Clients in the Healthcare industry, we have excellent expertise and our professional DevOps engineers can share experience on how to securely host your healthcare project so you can focus on the business. 


We help digital companies like yours to deploy HIPAA compliant web applications on AWS.

➤Migrate your application to the Cloud.

➤Improve the scalability and security of your infrastructure.

➤Guide your team to adopt AWS DevOps practices.


Contact DevCom - custom software development company


Written by: Halyna Vilchynska, Head of Marketing at DevCom.

Don't miss out our similar posts:

Let’s discuss your project idea

In case you don't know where to start your project, you can get in touch with our Business Consultant.

We'll set up a quick call to discuss how to make your project work.