Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

How to Maintain HIPAA Compliance in Public Cloud Environments

Summary:

Storing ePHI in the public cloud offers scalability but requires a strict "Shared Responsibility" approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

HIPAA Compliance in the Cloud: Securing ePHI in a Shared World

The shift to public cloud environments like AWS, Azure, and Google Cloud has revolutionized healthcare data management. However, a common misconception remains: that the cloud provider handles all the compliance.  

Under the HHS Guidance on Cloud Computing, compliance is a Shared Responsibility Model. While the provider secures the cloud itself, you are responsible for securing the data within the cloud.

The Foundation: The Business Associate Agreement (BAA)

    Before a single byte of Protected Health Information (PHI) touches the cloud, you must have a signed BAA. The BAA is the foundational legal document required by HIPAA that establishes the responsibilities for safeguarding PHI between a Covered Entity (like a healthcare provider or health plan) and a Business Associate (like a cloud provider or vendor).

    • No Exceptions: Even if the provider only stores encrypted data and doesn’t have the decryption key (a “no-view” service), they are still a Business Associate.
    • Verify Services: Not every service offered by a cloud provider is HIPAA-compliant. Ensure the specific tools you use (e.g., S3 buckets, SQL databases) are covered under your provider’s BAA terms. Don’t have a BAA? Download our Free BAA template!
    • Subcontractors: The BAA must address subcontractors. The Business Associate cannot engage a subcontractor to create, receive, maintain, or transmit PHI without the Covered Entity’s prior written consent, and the subcontractor must agree to the same restrictions and obligations that apply to the Business Associate.

    * SUD Language: BAs that handle any data that could be classified as “Part 2” data (like claims or clinical notes related to SUD) must explicitly include new language concerning Redisclosure Restrictions and updated Breach Notification requirements.

    Mandatory Technical Controls

      Recent updates to the HIPAA Security Rule have shifted several “addressable” safeguards to “required” mandates. To stay compliant, your cloud environment must include:

      • Prescriptive Encryption: You must use AES-256 encryption for all ePHI at rest and TLS 1.2 or higher for data in transit.
      • Multi-Factor Authentication (MFA): MFA is now a mandatory control for all systems accessing ePHI, including administrative cloud consoles.
      • Network Microsegmentation: The old way of dividing the network into big chunks using basic tools like VLANs isn’t safe anymore. You must implement identity-based microsegmentation to prevent lateral movement in the event of a breach.
        • VLANs split the office into a few large sections, like “Sales” and “Claims.” If a hacker breaches a single computer in the Sales section, they can move freely to every other computer on that side.
        • Identity-based microsegmentation makes sure that every single employee’s computer and every system has its own unique security key and firewall. This means if one workstation is compromised (a breach), the hacker is immediately blocked from moving sideways (lateral movement) to access other critical systems in the office, protecting the whole network.

      Identity and Access Management (IAM)

        In the cloud, the traditional network boundary is gone, meaning “Identity is the new perimeter.” This shifts the focus from securing the physical network edge to ensuring that every user and system accessing electronic Protected Health Information (ePHI) is verified and has the absolute minimum access required.

        • Role-Based Access Control (RBAC): This requires assigning permissions based strictly on an individual’s specific job function or the service’s purpose. For example, a billing specialist should only have access to billing systems and databases, not clinical records. The goal is to prevent users from having more access than their role strictly demands.
        • Automated Provisioning and Deprovisioning: Use tools to automatically revoke access when an employee leaves or changes roles. This is a frequent gap identified in OCR audits. Learn How to Prepare for a HIPAA Audit.

        Logging and Continuous Monitoring

          You cannot protect what you cannot see. HIPAA requires “audit controls” that record and examine activity in systems containing ePHI.

          • Centralized Logging: Export your cloud logs (like AWS CloudTrail or Azure Monitor) to a tamper-resistant environment.
          • Review Activity: Establish and follow a formal log review policy, defining the frequency of checks (e.g., daily or weekly). This review is necessary to detect and investigate any unauthorized access or activity.
          • Monitor High-Risk Areas: Logging data is essential for security only if it is actively monitored. Remote access, for instance, is considered a high-risk entry point, and failing to review logs from these connections leaves an organization vulnerable.
          • Use Automated Tools: Implement automated alerting or a Security Information and Event Management (SIEM) tool to flag anomalies, such as off-hours access or logins from unrecognized IP addresses.
          • Vulnerability Scanning: Compliance now requires regular testing and, in many cases, biannual vulnerability scans to identify security gaps before attackers do.

          Failing to implement and regularly review audit controls is a common deficiency cited in investigations by OCR.

          Redundancy and Disaster Recovery

            Cloud environments are not immune to failure, making a proactive approach to data accessibility essential. HIPAA requires every organization to have a well-defined and regularly tested contingency plan to guarantee that electronic Protected Health Information (ePHI) remains available during a disruption.

            • 3-2-1 Backup Strategy: Keep three copies of your data, on two different media types, with one copy off-site (or in a different cloud region).
            • 72-Hour Restoration: New guidelines emphasize that critical systems should be restored within 72 hours of a disruption.

            Next Steps for Your Organization

            Maintaining a compliant cloud environment is an ongoing process. From annual staff training to a thorough Risk Assessment, TotalHIPAA is here to simplify the complex.

            Sharing is caring!

            Looking for a Business Associate Agreement?

            Download our free template to get started on your path toward HIPAA compliance.

            Download Now

            Want to stay informed?

            Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

            Related Posts

            Why do we need to test our Disaster Recovery Plan every year?

            Why do we need to test our Disaster Recovery Plan every year?

            Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

            How to Stay HIPAA Compliant with Audit Logs

            How to Stay HIPAA Compliant with Audit Logs

            HIPAA audit logs are a mandatory technical safeguard under the HIPAA Security Rule, designed to track and record system activity across your network. To ensure complete compliance, organizations must actively maintain and routinely review these logs to detect unauthorized access to electronic protected health information (ePHI). This guide covers federal hipaa audit log requirements, the essential six-year hipaa audit log retention rules, best practices for tracking digital and physical data access, and how utilizing a structured hipaa audit log template protects your organization from catastrophic data breaches and costly federal penalties.

            Is Gmail HIPAA Compliant Email? – Well, It Can Be!

            Is Gmail HIPAA Compliant Email? – Well, It Can Be!

            To use Google Workspace with Protected Health Information (PHI), you must enter into a Business Associate Agreement (BAA) with Google. However, a signed BAA is only the first step. To satisfy the Office for Civil Rights (OCR) modernized Security Rule standards, Covered Entities must properly configure their email settings, utilize end-to-end encryption, and account for new tech, like integrated AI. This guide covers how to secure your Gmail account and the critical configuration steps required to maintain compliance.

            Save & Share Cart
            Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
            Save Cart & Generate Link
            Send Cart in an Email Done! close
            Empty cart. Please add products before saving :)

            Back Save & Share Cart
            Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
            Send Cart Email
            Your cart email sent successfully :)