The healthcare sector has experienced more data breaches than any other industry for fourteen consecutive years. A significant and growing proportion of those breaches involve cloud-hosted systems — electronic health records, health information exchanges, medical device data platforms, and telehealth applications.
HIPAA compliance in the cloud is not a documentation exercise. Auditors and OCR investigators increasingly look for technical evidence that controls are operating within the cloud environment — not just policies describing how they should operate. The organisations that fail HIPAA audits or face OCR enforcement actions almost always have the policies. They frequently lack the technical controls.
The BAA Misunderstanding
The most common and most consequential misunderstanding in cloud HIPAA compliance is the belief that signing a Business Associate Agreement with your cloud provider constitutes HIPAA compliance. It does not. The BAA establishes that the cloud provider will handle PHI appropriately on its infrastructure. It says nothing about how you configure, secure, or manage your systems running on that infrastructure.
The HIPAA Security Rule's technical safeguards — encryption, access control, audit logging, automatic logoff, authentication — must be implemented by the covered entity or business associate using the cloud. The cloud provider's BAA does not implement them. Your configuration does.
The Access Control Gap
HIPAA requires that access to PHI is limited to the minimum necessary for the user's role — the minimum necessary standard. In cloud environments, this translates directly to IAM policy design. IAM policies must be specific: a nurse practitioner's application should have access to the patient records necessary for that role, not to all patient records in the database.
The most common access control failure we observe is the use of wildcard IAM policies — policies that grant access to all resources of a type rather than specific resources. These are frequently inherited from development environments where access was granted broadly for convenience and never tightened for production deployment.
The Audit Logging Gap
HIPAA requires audit controls — hardware, software, and procedural mechanisms that record and examine activity in information systems containing PHI. In cloud terms, this means comprehensive logging of all access to PHI — who accessed what, when, from where, and what they did.
AWS CloudTrail, Azure Monitor, and Google Cloud Audit Logs provide the raw logging capability. But logging must be configured to capture the right events, logs must be stored securely and immutably, and there must be a process for reviewing logs for anomalies. The logging capability is not compliance. The configured, monitored, and reviewed logging system is compliance.
The Encryption Gap
HIPAA does not mandate encryption explicitly — it requires organisations to implement the addressable specification of encrypting PHI at rest and in transit. In practice, this means encryption should be implemented unless there is a documented risk analysis that concludes it is not reasonable and appropriate — a conclusion that is essentially impossible to reach for cloud-hosted PHI in 2025.
The encryption failures we observe are not failures to encrypt at all — they are partial encryption: databases encrypted, backup storage not encrypted; data encrypted in transit to the application, not encrypted in transit between application components; primary storage encrypted, log storage not encrypted.
Complete HIPAA-compliant encryption in cloud requires a systematic review of every data flow and every data store — not just the obvious ones.
Ready to apply this to your organisation?
Book a free 30-minute discovery call. No agenda except understanding your situation and telling you honestly what we'd recommend.