HIPAA-Compliant Cloud: AWS vs Azure vs GCP Guide
Moving healthcare workloads to the cloud is no longer a question of “if” but “how.”EHR systems,FHIR servers,telehealth platforms, analytics pipelines, and patient-facing applications all run on cloud infrastructure. But “the cloud” and “HIPAA-compliant” don’t automatically go together. Each major cloud provider offers HIPAA-eligible services — but not all services are covered, and the shared responsibility model means your architecture decisions determine whether your cloud deployment actually meets HIPAA requirements.
Tell Us Your Requirements
Our experts are ready to understand your business goals.
Trusted by Industry Leaders Worldwide
Awards & Recognitions
The Shared Responsibility Model
All three major cloud providers follow the same fundamental principle: the provider is responsible for security of the cloud (physical infrastructure, hypervisors, networking hardware). You are responsible for security in the cloud (data encryption configuration, access controls, network architecture, application security, audit logging).
What the cloud provider handles: Physical security, hardware maintenance, hypervisor patching, network infrastructure, and availability of HIPAA-eligible services.
What you must handle: Encryption configuration (enabling encryption for databases, storage, backups), access management (IAM policies, MFA, least privilege), network architecture (VPC configuration, security groups, network segmentation), application security, audit logging configuration, incident response, and PHI data lifecycle management.
A signed BAA with the cloud provider is required before any workload containing ePHI is deployed. All three providers offer BAAs — but the BAA only covers services designated as HIPAA-eligible.
AWS for Healthcare
- 01
BAA and HIPAA-Eligible Services
AWS offers a BAA (called a “Business Associate Addendum”) through AWS Artifact. The BAA covers a specific set of HIPAA-eligible services — currently 100+ services including EC2, RDS, S3, Lambda, DynamoDB, ECS/EKS, CloudWatch, KMS, and more. Services not listed as HIPAA-eligible must not be used for ePHI workloads.
- 02
Key HIPAA Architecture Patterns
Compute: EC2 instances or ECS/EKS containers in private subnets. No public IP addresses for ePHI-processing workloads. Load balancers in public subnets terminate TLS before forwarding to private compute.
Database: RDS (PostgreSQL, MySQL, Aurora) with encryption at rest enabled using KMS customer-managed keys. DynamoDB with encryption enabled. No ePHI in unencrypted databases.
Storage: S3 with server-side encryption (SSE-KMS), bucket policies restricting access, access logging enabled, and versioning for data integrity. Block public access at the account level.
Networking: VPC with private subnets for ePHI workloads. Security groups enforcing least-privilege access. VPC flow logs enabled for network monitoring. AWS PrivateLink for service-to-service communication without traversing public internet.
Monitoring: CloudTrail for API activity logging. CloudWatch for system monitoring and alerting. AWS Config for configuration compliance tracking. GuardDuty for threat detection.
- 03
AWS Healthcare-Specific Services
AWS HealthLake (FHIR-native data store), Amazon Comprehend Medical (NLP for clinical text), and AWS HealthImaging (medical imaging storage) are purpose-built for healthcare workloads and included in the BAA.
Azure for Healthcare
- 01
BAA and HIPAA-Eligible Services
Microsoft offers a BAA through the Microsoft Trust Center as part of the Online Services Terms. Azure’s HIPAA-eligible services include Azure Virtual Machines, Azure SQL Database, Azure Blob Storage, Azure Kubernetes Service, Azure Functions, Azure API Management, and many more. Microsoft also maintains HITRUST CSF certification for Azure — providing additional healthcare-specific assurance.
- 02
Key HIPAA Architecture Patterns
Compute: Virtual Machines or AKS containers in virtual network subnets. Azure Application Gateway or Front Door for TLS termination and WAF protection.
Database: Azure SQL Database with Transparent Data Encryption (TDE) and customer-managed keys in Azure Key Vault. Azure Cosmos DB with encryption at rest. Azure Database for PostgreSQL with encryption enabled.
Storage: Azure Blob Storage with server-side encryption and customer-managed keys. Private endpoints for storage access. Soft delete and versioning for data protection.
Networking: Virtual Networks with NSGs (Network Security Groups) enforcing segmentation. Azure Private Link for private connectivity. Azure Firewall or third-party NVAs for perimeter security. Azure DDoS Protection.
Monitoring: Azure Monitor for system metrics. Azure Sentinel for SIEM and threat detection. Azure Activity Log for audit trail. Microsoft Defender for Cloud for security posture management.
GCP for Healthcare
- 01
BAA and HIPAA-Eligible Services
Google offers a BAA through the Google Cloud Terms of Service. GCP’s HIPAA-eligible services include Compute Engine, Cloud SQL, Cloud Storage, GKE, Cloud Functions, BigQuery, and Apigee (API management). The BAA covers a growing list of services — verify current coverage before deploying new services for ePHI workloads.
- 02
Key HIPAA Architecture Patterns
Compute: Compute Engine instances or GKE containers in private VPC subnets. Cloud Load Balancing for TLS termination and traffic management.
Database: Cloud SQL (PostgreSQL, MySQL) with customer-managed encryption keys (CMEK). Cloud Spanner for globally distributed healthcare applications. BigQuery for analytics with CMEK encryption.
Storage: Cloud Storage with CMEK encryption, uniform bucket-level access, and object versioning. No public access for ePHI buckets.
Networking: VPC with private subnets. Cloud NAT for outbound internet access without public IPs. VPC Service Controls for fine-grained perimeter security around ePHI services. Cloud Armor for DDoS protection.
Monitoring: Cloud Audit Logs for administrative and data access logging. Cloud Monitoring for system metrics. Security Command Center for security posture management. Chronicle for SIEM capabilities.
- 03
GCP Healthcare-Specific Services
Google Cloud Healthcare API (FHIR, HL7v2, and DICOM data stores) provides healthcare-native data management. Vertex AI supports healthcare AI/ML workloads.
Cross-Cloud Compliance Checklist
BAA and service selection:
- BAA executed with cloud provider before deploying ePHI workloads
- All services used for ePHI verified as HIPAA-eligible
- Service usage documented against BAA coverage list
How Taction Ensures Compliance
At Taction, our team designs and deploys HIPAA-compliant cloud infrastructure for healthcare organizations across AWS, Azure, and GCP.
What we do:
- Cloud architecture design — We design HIPAA-compliant cloud architectures tailored to your workload — EHR hosting, FHIR servers, telehealth platforms, analytics pipelines — with encryption, network segmentation, and access controls built in.
- Multi-cloud strategy — For organizations using multiple cloud providers, we design consistent security controls across platforms — unified IAM, consistent encryption standards, and centralized monitoring.
- Cloud migration — We migrate healthcare workloads from on-premises to cloud with HIPAA compliance maintained throughout the transition — data encryption during migration, network security during cutover, and validation post-migration.
- Security hardening — We harden existing cloud deployments against HIPAA requirements — auditing current configurations, remediating gaps, and implementing monitoring and alerting.
- Ongoing cloud compliance — We implement infrastructure-as-code and automated compliance checking that maintains HIPAA compliance continuously — not just at deployment time.