HIPAA Compliant Cloud Hosting: Requirements and How to Choose in 2026
Last updated: June 16, 2026
HIPAA compliant cloud hosting is cloud infrastructure that stores or processes electronic protected health information (ePHI) under a signed Business Associate Agreement (BAA), with the HIPAA Security Rule safeguards in place: encryption at rest and in transit, access controls, audit logging, and tested backups. The big clouds, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, all sign a BAA and give you the building blocks. They do not hand you compliance. Under the shared responsibility model, the cloud secures the data centers and core services, and you secure how you set everything up. HIPAA compliant cloud hosting is what you get when those building blocks are configured correctly and backed by the contract.
TL;DR: Quick answer
HIPAA compliant cloud hosting needs two things: a signed BAA under 45 CFR § 164.308(b), and the Security Rule safeguards at 45 CFR § 164.312 set up in your environment.
AWS, Azure, and Google Cloud each sign a BAA, but only for their HIPAA-eligible services. AWS lists more than 160 eligible services as of its May 2026 reference. PHI must stay inside the covered list.
The cloud is not compliant by default. Most failures come from customer configuration, not the platform itself.
Encryption is "addressable" today under 45 CFR § 164.312(a)(2)(iv). A rule proposed in December 2024 would make it and multi-factor authentication mandatory, but it is not final as of June 2026.
You can build HIPAA compliant cloud hosting yourself or have a managed host configure and run it for you. The safeguards are the same either way.
What is HIPAA compliant cloud hosting?
Cloud hosting means your website or application runs on virtual servers that a cloud provider operates, instead of one physical machine you own. You rent computing power, storage, and a network, and you can scale them up or down as needed. When any of those resources hold patient data, the provider becomes a Business Associate under 45 CFR § 160.103 and must sign a BAA before the data arrives.
So HIPAA compliant cloud hosting is the cloud version of the same two-part rule that governs all hosting: the contract plus the controls. For the full picture of how those two parts fit together across any setup, see our complete guide to HIPAA-compliant hosting. This article focuses on the cloud, where the scale and the flexibility are larger and so is the configuration work.
Which clouds will sign a BAA?
All three major clouds sign a BAA, and each one covers only a named list of services. Anything off that list cannot legally hold PHI, even inside a HIPAA account.
Amazon Web Services (AWS). You accept the BAA yourself through AWS Artifact. The AWS HIPAA Eligible Services Reference lists more than 160 services as of its May 22, 2026 update, the broadest catalog of the three. Our deep dive on whether AWS is HIPAA compliant covers the AWS side step by step.
Microsoft Azure. Microsoft makes a HIPAA BAA available through its online services terms, and most Azure services are HIPAA-eligible. You still confirm which services your workload uses are in scope.
Google Cloud. Google signs a BAA that covers its infrastructure and a published list of HIPAA-eligible services. As with the others, services outside that list are off-limits for PHI.
The takeaway is the same for every provider: a BAA is the starting line, and you must keep PHI inside the covered services. A signed BAA over the wrong service still fails an audit.
What does the Security Rule require in the cloud?
The technical safeguards at 45 CFR § 164.312 map directly onto a cloud environment. Here is each control and what it looks like when your servers live in the cloud.
Control | CFR citation | In the cloud |
|---|---|---|
Encryption at rest | § 164.312(a)(2)(iv) | Encrypt disks, object storage, databases, and snapshots, commonly with AES-256 and managed keys |
Encryption in transit | § 164.312(e)(1), (e)(2)(ii) | TLS 1.2 or higher on every connection that carries ePHI, including between internal services |
Access control and unique IDs | § 164.312(a)(1), (a)(2)(i) | Identity and access management with named accounts, least privilege, and MFA on every login |
Automatic logoff | § 164.312(a)(2)(iii) | Idle sessions to servers and consoles time out |
Audit controls | § 164.312(b) | Platform, network, and application logs sent to tamper-resistant storage and reviewed |
Backups and recovery | § 164.308(a)(7) | Encrypted backups, copies in a second region, and a restore you have actually tested |
One point worth stating clearly, because many 2026 articles get it wrong: encryption is still an "addressable" specification under § 164.312(a)(2)(iv), which means you use it or document an equal alternative. For hosted ePHI there is no credible alternative, so treat it as required in practice. The December 2024 proposed Security Rule update would make encryption and MFA explicitly mandatory, but as of June 2026 that rule is not final. Our CFR-mapped security checklist turns each of these controls into concrete settings.
Cloud hosting, servers, and the types you will see
People shopping for HIPAA compliant cloud hosting run into a lot of words for the same idea. Here is a plain map.
Managed cloud hosting. A provider runs your cloud servers and the safeguards for you. This is the most common choice for healthcare teams that would rather not staff a cloud engineer.
Self-managed cloud or a HIPAA compliant server you run. You rent the servers and own all the configuration: encryption, access, logging, patching, and backups. Full control, full responsibility.
Dedicated and single-tenant servers. Your environment is isolated from other customers, which lowers risk and simplifies your risk analysis.
File transfer servers. A HIPAA compliant SFTP server, used to move files securely, must meet the same encryption, access, and logging rules. Plain FTP does not qualify, because it is not encrypted.
The database deserves its own attention, because it holds the most records in one place. We cover that tier in HIPAA compliant database hosting.
Who is responsible for what?
Cloud HIPAA work splits across up to three parties. Knowing the split is how you avoid the gaps that show up in audits.
Area | Cloud provider | You or your managed host |
|---|---|---|
Data centers and hardware | Secures the physical layer | Inherits it through the BAA |
Eligible services | Publishes the covered list | Keeps PHI only inside that list |
Encryption and access | Provides the tools | Turns them on and configures them |
Logging and backups | Provides the services | Enables, retains, reviews, and tests them |
Risk analysis and training | Not their job | Yours under 45 CFR § 164.308(a)(1)(ii)(A) |
The cloud provider secures the cloud. You secure what you put in it. A managed host can take that second column off your team's plate, which is the gap most healthcare practices feel.
How do you choose HIPAA compliant cloud hosting?
BAA before PHI. Signed, and you have read which services it covers.
Eligible services only. Confirm every service touching PHI is on the provider's covered list.
Encryption on by default, at rest and in transit, with managed keys.
Logging you can keep and review, with retention that supports the six-year documentation rule at 45 CFR § 164.316(b)(2)(i).
A tested recovery plan, not just backups that have never been restored.
A clear responsibility matrix, in writing, so you know which controls are yours.
If you would rather not build all of that, the budget side is worth a look first; our 2026 HIPAA hosting cost guide shows what managed cloud environments usually run.
If you would rather have it built and run for you
The hardest part of HIPAA compliant cloud hosting is not the idea, it is the steady configuration and upkeep that the safeguards demand. If your team would rather serve patients and ship product than tune cloud security, a managed host can own that layer. At HIPAA Compliant Hosting, our managed HIPAA cloud hosting provisions single-tenant environments that arrive with a signed BAA, encryption, a web application firewall, monitoring, six-year audit logging, and tested encrypted backups. We sell this service, so treat that as a disclosure, not a neutral verdict. We also think a team that understands the shared responsibility model makes safer choices, whoever runs its servers. If you want a straight read on your setup, tell us what you are building.
Frequently asked questions
Is cloud hosting HIPAA compliant?
Cloud hosting can be HIPAA compliant when it runs under a signed BAA, keeps PHI inside the provider's HIPAA-eligible services, and implements the Security Rule safeguards: encryption, access control, audit logging, and tested backups. The cloud is not compliant on its own.
Which cloud is best for HIPAA compliant cloud hosting?
AWS, Azure, and Google Cloud all sign a BAA and can host PHI well. AWS lists the most eligible services, more than 160. The best choice depends on your stack and your team's skills, because each one leaves configuration and logging to you.
Does AWS, Azure, or Google Cloud make my app HIPAA compliant automatically?
No. A signed BAA and eligible services are necessary, not sufficient. Your configuration, access decisions, and documented risk analysis determine whether the system is compliant.
What are the HIPAA compliant server requirements?
Encryption at rest and in transit, unique user accounts with least privilege and MFA, automatic logoff, audit logging with retention, tested encrypted backups, and a BAA covering the hosting. The same rules apply to a web server, a database server, or an SFTP server.
Do I need a managed host for HIPAA compliant cloud hosting?
No, but many teams choose one. You can configure the cloud yourself if you have the skills and time. A managed host exists to run the encryption, logging, patching, and backups so your staff does not have to.
Recap: HIPAA compliant cloud hosting
To recap, HIPAA compliant cloud hosting is cloud infrastructure that holds ePHI under a signed BAA with the Security Rule safeguards in place. AWS, Azure, and Google Cloud all sign a BAA, but only for their eligible services, and only you can configure and document the controls that make the system compliant. Build it yourself or hand it to a managed host, but get the BAA first, keep PHI inside covered services, and encrypt, log, and test everything.
This article is general information, not legal advice. Cloud provider service lists and BAA terms change, and the December 2024 Security Rule proposal is not final as of June 2026. Confirm current terms with your provider, consult qualified counsel, and base your safeguards on a documented risk analysis. Reviewed June 2026.
Sources
45 CFR § 164.312 (technical safeguards): ecfr.gov
Microsoft: HIPAA and the Azure compliance offering
Google Cloud: HIPAA compliance on Google Cloud