HIPAA Compliance for Cloud Environments: A Security Engineer's Practical Guide

HIPAA was written before cloud computing existed. The Security Rule's 2003 language describes "workstations," "information systems," and "facilities"—not elastic compute, shared-responsibility models, or serverless functions. This creates a translation problem that security engineers in healthcare-adjacent organisations wrestle with daily.

The good news: the underlying principles of HIPAA's Security Rule map cleanly to cloud security best practices. The challenge is demonstrating that mapping to auditors who may themselves be learning the cloud model.

HIPAA's Security Rule: The Cloud Translation

The Security Rule requires covered entities and business associates to implement "reasonable and appropriate" administrative, physical, and technical safeguards to protect ePHI. Here is how each category translates to cloud environments:

• Administrative safeguards: Access management policies, workforce training, incident response procedures—largely the same as on-premises, but now must explicitly address cloud access roles and shared responsibility
• Physical safeguards: In cloud environments, these primarily transfer to your cloud provider (AWS, Azure, GCP hold SOC 2 Type II and ISO 27001 certifications covering physical controls). You still need policies for workstations and any on-premises equipment.
• Technical safeguards: Access controls, audit controls, integrity controls, and transmission security—all directly configurable in cloud environments and auditable through platform-native logging

The Five Most Common Cloud-Specific HIPAA Gaps

1. Misconfigured S3 Buckets (or Equivalent Object Storage)

Despite years of high-profile incidents, misconfigured object storage remains the most common source of ePHI exposure in cloud environments. The pattern is consistent: a developer creates a bucket for a legitimate purpose with public read access for convenience during testing and then forgets to restrict it.

The fix: Block public access at the account/organisation level, not just per bucket. Enable continuous scanning for buckets containing ePHI (identifiable by tag or naming convention). Any deviation from the baseline—public ACL added, bucket policy modified—should trigger an immediate alert.

2. Inadequate Encryption at Rest

HIPAA does not mandate encryption, but the HHS Guidance on Encryption and Decryption makes clear that encrypted ePHI is rendered unusable to unauthorised parties and therefore exempt from breach notification. In practice, this makes encryption effectively mandatory—any unencrypted ePHI breach requires notification, encrypted ePHI breaches generally do not.

The fix: Enforce encryption-at-rest policies through cloud configuration baselines. Audit all storage resources (databases, object storage, block storage, backups) against the policy continuously, not just at deployment time.

3. Overprivileged IAM Roles

The HIPAA minimum necessary standard requires that access to ePHI be limited to what is necessary to perform a job function. In cloud environments, IAM policies are the primary enforcement mechanism—but they drift over time as teams add permissions to solve problems and rarely remove them.

The fix: Establish IAM permission baselines for roles with ePHI access. Flag and review any role whose effective permissions expand beyond the baseline. Implement just-in-time access for administrative functions rather than persistent high-privilege roles.

4. Missing or Inadequate Audit Logging

HIPAA requires audit controls that record activity in information systems containing ePHI. In cloud environments, this means CloudTrail/Activity Log must be enabled in every region, covering all services that process ePHI, with logs shipped to a tamper-evident destination and retained for at least 6 years.

The fix: Configuration scanning should verify that logging is enabled on every service and every region—not just the ones you think are relevant. It is easy to spin up a new service or region and forget to enable logging.

5. Business Associate Agreement Gaps

Every cloud service vendor, SaaS tool, or managed service provider that touches ePHI is a Business Associate under HIPAA. Many organisations are diligent about BAAs with their major cloud providers but miss the long tail of SaaS tools used by clinical or operational teams.

The fix: Maintain a real-time inventory of all services that could access ePHI, not just the ones IT provisioned. Shadow IT discovery tools and enforced cloud procurement processes both help here.

Demonstrating Compliance: What Auditors Actually Want to See

OCR audits and third-party HIPAA assessments increasingly focus on evidence of continuous control effectiveness, not point-in-time snapshots. This means:

• Configuration scan history showing your controls were in place throughout the audit period, not just the week before the audit
• Access review logs demonstrating that ePHI access was periodically reviewed and excessive permissions were revoked
• Incident and near-miss logs showing your monitoring actually detected something—a system with zero alerts is more suspicious than one that detected and resolved drift events
• Training completion records with dates and attestation signatures
• Signed and current BAAs for all applicable vendors

The organisations that pass HIPAA audits without drama are not the ones with the most sophisticated security programmes. They are the ones with the most consistent documentation of reasonable controls applied continuously over time.