Moving healthcare applications to the cloud introduces significant advantages in scalability, availability, and cost efficiency. It also introduces a compliance surface area that is fundamentally different from on-premises environments. The Health Insurance Portability and Accountability Act (HIPAA) does not prohibit cloud computing — but it demands that every organization handling protected health information (PHI) in the cloud implements specific administrative, physical, and technical safeguards.

This checklist provides a comprehensive, actionable guide for ensuring HIPAA compliance in cloud-based healthcare applications. Whether you are building a new cloud-native application, migrating an existing system, or evaluating your current compliance posture, use this as your reference.

For foundational HIPAA concepts and requirements, review our complete HIPAA compliance guide before working through this cloud-specific checklist.

The Shared Responsibility Model and HIPAA

Before diving into the checklist, it is essential to understand the shared responsibility model. When you use a cloud service provider (CSP) like Microsoft Azure or AWS, HIPAA compliance is shared between you and the provider:

The CSP is responsible for:

Physical security of data centers
Infrastructure-level encryption capabilities
Platform availability and resilience
Compliance of the underlying infrastructure (and signing a BAA)

You are responsible for:

Configuring cloud services securely
Managing access controls and authentication
Encrypting data using the tools the CSP provides
Monitoring, logging, and incident response
Employee training and organizational policies
Ensuring that every service you use is HIPAA-eligible

The CSP provides HIPAA-eligible services and signs a Business Associate Agreement. But misconfiguring those services, failing to enable encryption, or leaving storage publicly accessible is your responsibility — and your liability.

HIPAA Compliance Checklist for Cloud Applications

1. Business Associate Agreements (BAAs)

Execute a BAA with your cloud service provider. This is non-negotiable. A BAA establishes the CSP’s obligations for protecting PHI and defines permitted uses and disclosures. Both Azure and AWS offer standard BAAs.
Execute BAAs with every subprocessor. Any third-party SaaS tool, API, analytics platform, or service that accesses, processes, or stores PHI requires a BAA. This includes email providers, monitoring tools, payment processors, and communication platforms.
Maintain a BAA inventory. Create and maintain a registry of all BAAs, including execution dates, renewal terms, and the scope of PHI each business associate handles.
Review BAAs annually. Verify that BAA terms remain current and that each business associate’s security practices still meet your requirements.
Verify HIPAA eligibility of every cloud service used. Not all services within a cloud platform are HIPAA-eligible. Azure publishes a list of HIPAA-eligible services; AWS does the same. Only deploy PHI workloads on eligible services.

2. Data Encryption

Encrypt all PHI at rest. Use AES-256 encryption for all data stores containing PHI: databases, object storage, file shares, backups, and disk volumes. Azure Storage, Azure SQL Database, and Azure Cosmos DB support encryption at rest by default. Verify it is enabled and not inadvertently disabled.
Encrypt all PHI in transit. Enforce TLS 1.2 or higher for all data in transit. This applies to API calls, web application traffic, database connections, inter-service communication, and data transfers between cloud regions.
Implement encryption key management. Use a managed key vault service (Azure Key Vault, AWS KMS) for encryption key storage and rotation. Define key rotation schedules and document key management procedures. Restrict key access to authorized personnel only.
Encrypt backups. Backups containing PHI must be encrypted with the same rigor as primary data. Verify that backup encryption is enabled and that keys are managed through your key management system.
Encrypt data at the application level where appropriate. For highly sensitive fields (SSNs, diagnosis codes), consider application-level encryption in addition to platform-level encryption. This provides defense in depth if platform encryption is misconfigured.

3. Access Controls

Implement role-based access control (RBAC). Define roles based on job function and assign the minimum permissions necessary for each role. Avoid broad administrator roles wherever possible.
Enforce multi-factor authentication (MFA). Require MFA for all users accessing systems that contain PHI. This includes cloud console access, application logins, VPN connections, and remote access tools.
Implement unique user identification. Every user must have a unique identifier. Shared accounts and generic logins are not acceptable for systems that handle PHI. This is essential for audit trail integrity.
Enable automatic session timeouts. Configure automatic logoff after a defined period of inactivity (typically 15 minutes for applications handling PHI). This applies to web applications, remote desktop sessions, and cloud console access.
Conduct access reviews quarterly. Review user access to all systems containing PHI at least quarterly. Remove access for terminated employees, role changes, and inactive accounts. Document each review.
Implement emergency access procedures. Define and document procedures for granting emergency access to PHI during system outages or critical situations. Include controls for reviewing and revoking emergency access after the event.
Restrict PHI access based on minimum necessary. Users should only access the minimum amount of PHI required for their specific job function. Configure application-level access controls to enforce this at the data level, not just the system level.

4. Audit Logging and Monitoring

Enable audit logging on all systems containing PHI. This includes cloud platforms, databases, applications, identity providers, and network devices. Log all access events, authentication attempts, configuration changes, and data modifications.
Centralize logs in a SIEM or log management platform. Use a centralized logging solution such as Microsoft Sentinel or a comparable platform. Centralization enables correlation, alerting, and efficient investigation.
Retain logs for a minimum of 6 years. HIPAA requires documentation retention for 6 years. Ensure your log retention policies meet this requirement. Configure archival storage for older logs to manage costs.
Monitor for unauthorized access attempts. Configure alerts for failed login attempts, access from unusual locations, privilege escalations, and bulk data exports. Define response procedures for each alert type.
Log all PHI access events. Track who accessed what PHI, when, from where, and what action was taken (view, modify, delete, export). This is critical for investigating breaches and responding to patient access requests.
Review audit logs regularly. Establish a schedule for log review — daily for high-priority alerts, weekly for trends and anomalies. Document review activities and findings.
Protect log integrity. Ensure logs cannot be modified or deleted by the users being monitored. Use write-once storage, separate log management accounts, and access controls on log repositories.

5. Network Security

Segment PHI workloads. Isolate systems that process PHI into dedicated virtual networks (VNets), subnets, or security groups. Restrict traffic flows between PHI and non-PHI environments. Our guide on zero trust security provides a framework for implementing segmentation.
Implement network security groups and firewall rules. Define allow-list-based rules that permit only necessary traffic. Default deny all inbound and outbound traffic and open only required ports and protocols.
Use private endpoints for cloud services. Wherever possible, access cloud services (databases, storage, key vaults) through private endpoints rather than public endpoints. This keeps PHI traffic off the public internet.
Deploy a web application firewall (WAF). Protect internet-facing healthcare applications with a WAF to mitigate OWASP Top 10 vulnerabilities, DDoS attempts, and malicious traffic.
Restrict remote access. Use VPN or Azure Bastion for administrative access to PHI environments. Prohibit direct RDP/SSH access from the internet. Log all remote access sessions.
Conduct regular network penetration testing. Engage a qualified firm to perform network penetration testing at least annually. Remediate findings and retest to confirm resolution.

6. Application Security

Conduct security assessments during development. Integrate security testing into your SDLC: static analysis (SAST), dynamic analysis (DAST), and dependency scanning. Address findings before deployment.
Implement input validation. Validate and sanitize all user input to prevent injection attacks (SQL injection, XSS, command injection). Healthcare applications are high-value targets.
Secure API endpoints. Authenticate and authorize all API calls. Use OAuth 2.0 or equivalent for API authentication. Rate-limit API endpoints to prevent abuse. Log all API access.
Implement data loss prevention (DLP). Configure DLP controls to detect and prevent unauthorized transmission of PHI via email, file sharing, or API calls.
Manage application dependencies. Maintain an inventory of third-party libraries and frameworks. Monitor for known vulnerabilities and apply patches promptly. Use automated dependency scanning in your CI/CD pipeline.

7. Data Backup and Disaster Recovery

Implement automated backup procedures. Configure automated backups for all systems containing PHI. Define backup frequency based on your Recovery Point Objective (RPO).
Store backups in a geographically separate location. Maintain backups in a different cloud region or availability zone from your primary environment. Verify that the backup region also meets HIPAA requirements.
Test backup restoration regularly. Perform restoration tests at least quarterly. Document test results, including restoration time and data integrity verification.
Document your disaster recovery plan. Define Recovery Time Objective (RTO) and RPO for each system. Document failover procedures, communication plans, and recovery steps. Review our IT compliance standards guide for additional DR considerations.
Conduct DR tabletop exercises. Walk through disaster scenarios with your team at least annually. Document findings and update procedures based on lessons learned.

8. Breach Notification Procedures

Define breach identification procedures. Document how your organization identifies a potential breach — through monitoring alerts, employee reports, third-party notifications, or audit log reviews.
Establish a breach response team. Designate individuals responsible for breach investigation, containment, notification, and remediation. Include representatives from IT, legal, compliance, and communications.
Document the 4-factor risk assessment process. HIPAA requires a risk assessment to determine whether a breach has occurred, evaluating: the nature and extent of PHI involved, the unauthorized person who accessed the PHI, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated.
Prepare notification templates. Draft templates for individual notification letters, HHS notification, media notification (for breaches affecting 500+ individuals), and business associate notifications.
Meet notification timelines. Individual notification must occur within 60 days of breach discovery. HHS notification must occur within 60 days for breaches affecting 500+ individuals (annually for smaller breaches). Document your process for meeting these deadlines.
Maintain a breach log. Track all potential and confirmed breaches, including investigation findings, notifications sent, and remediation actions taken. Retain for at least 6 years.

9. Workforce Training and Policies

Conduct HIPAA security awareness training. Train all employees who handle or could access PHI at onboarding and annually thereafter. Training should cover PHI handling, security best practices, breach identification, and reporting procedures.
Document training completion. Maintain records of all training sessions, attendees, content covered, and completion dates. Retain for 6 years.
Implement and enforce sanctions. Document a sanctions policy for employees who violate HIPAA policies. Apply sanctions consistently and document all actions.
Create a HIPAA-specific acceptable use policy. Define acceptable use of systems, email, mobile devices, and cloud services as they relate to PHI handling.
Address workforce clearance procedures. Define procedures for granting, reviewing, and terminating workforce access to PHI based on role, clearance, and ongoing need.

10. Risk Management

Conduct an annual risk analysis. Perform a comprehensive risk analysis as required by the HIPAA Security Rule (45 CFR 164.308(a)(1)). Identify threats, vulnerabilities, and the likelihood and impact of potential breaches. Document findings.
Implement a risk management plan. For each identified risk, define mitigation strategies, assign ownership, and establish timelines. Track risk remediation to completion.
Review and update the risk analysis when changes occur. Trigger a risk analysis update whenever you add new systems, change infrastructure, experience a security incident, or adopt new technologies.
Maintain risk documentation for 6 years. All risk analyses, management plans, and remediation records must be retained per HIPAA documentation requirements.

HIPAA-Eligible Cloud Services: Azure vs AWS

Not every cloud service is HIPAA-eligible. Using a non-eligible service to process PHI is a compliance violation regardless of how well you configure it. The following table highlights commonly used HIPAA-eligible services on both major platforms:

Service Category	Azure	AWS
Compute	Azure Virtual Machines, Azure App Service, Azure Functions	EC2, Lambda, ECS, Fargate
Database	Azure SQL Database, Cosmos DB, Azure Database for PostgreSQL	RDS, DynamoDB, Aurora
Storage	Azure Blob Storage, Azure Files, Azure Data Lake	S3, EFS, Glacier
Identity	Microsoft Entra ID (Azure AD)	IAM, Cognito
Networking	Azure Virtual Network, Azure Firewall, Azure Front Door	VPC, WAF, CloudFront
Monitoring	Azure Monitor, Microsoft Sentinel	CloudWatch, CloudTrail, GuardDuty
Key Management	Azure Key Vault	AWS KMS
AI/ML	Azure AI Services (select services)	SageMaker, Comprehend Medical
Messaging	Azure Service Bus	SQS, SNS

Always verify current HIPAA eligibility against the provider’s official documentation before deploying PHI workloads. Service eligibility can change as providers update their compliance certifications.

For a detailed comparison of Azure and AWS capabilities beyond HIPAA, see our Azure vs AWS vs GCP comparison guide.

Frequently Asked Questions

Does HIPAA require specific cloud providers?

No. HIPAA does not mandate a specific cloud provider. It requires that any cloud provider handling PHI signs a BAA and that the covered entity verifies the provider’s security practices. Azure, AWS, and GCP all offer HIPAA-eligible services and BAAs. The compliance obligation falls on you to configure those services correctly.

Can we store PHI in a public cloud?

Yes, provided you execute a BAA with the cloud provider, use only HIPAA-eligible services, implement all required safeguards (encryption, access controls, audit logging), and maintain your own compliance program. Storing PHI in the cloud is not inherently non-compliant — storing it without proper safeguards is.

What are the penalties for HIPAA non-compliance?

The HHS Office for Civil Rights enforces HIPAA with a tiered penalty structure. Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with annual caps per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. Beyond regulatory penalties, breaches result in reputational damage, patient lawsuits, and loss of business.

How does HIPAA apply to SaaS applications?

If a SaaS application processes, stores, or transmits PHI on behalf of a covered entity, the SaaS vendor is a business associate and must sign a BAA. The SaaS vendor must implement appropriate safeguards and can be held directly liable for HIPAA violations. Before adopting any SaaS tool for PHI workloads, verify that the vendor will sign a BAA and request documentation of their security controls.

What is the minimum necessary standard?

The minimum necessary standard requires that covered entities and business associates limit PHI access, use, and disclosure to the minimum amount necessary to accomplish the intended purpose. This means role-based access, data-level permissions, and application-level controls that restrict users to only the PHI they need for their specific job functions.

Do we need to encrypt PHI in a private cloud?

Yes. HIPAA does not distinguish between public and private cloud. The Security Rule requires implementation of encryption as an addressable specification. While “addressable” does not mean optional, it means you must either implement encryption or document why an equivalent alternative provides adequate protection. In practice, there is no credible alternative — encrypt PHI in every environment.

Building a Sustainable HIPAA Compliance Program

HIPAA compliance in the cloud is not a one-time checklist — it is an ongoing operational discipline. The technical controls, administrative procedures, and organizational practices outlined above must be maintained, monitored, and updated continuously.

Key principles for sustainability:

Automate compliance monitoring. Use cloud-native compliance tools (Azure Policy, AWS Config) to continuously assess your environment against HIPAA requirements.
Integrate compliance into your SDLC. Build security and compliance checks into your deployment pipeline so non-compliant configurations cannot reach production.
Maintain a compliance calendar. Schedule recurring activities: quarterly access reviews, annual risk analyses, annual training, periodic penetration testing, and BAA reviews.
Document everything. HIPAA’s 6-year retention requirement means you need a sustainable documentation system, not a folder of ad hoc screenshots.

Exodata provides security and compliance services for healthcare organizations navigating HIPAA in the cloud, from initial risk analysis through ongoing compliance management and monitoring.

Talk to an engineer today

← Back to Blog

HIPAA Compliance Checklist for Cloud Apps [2026]