HIPAA Compliance Checklist for Cloud-Hosted Healthcare Applications

Understanding HIPAA in the Cloud Context

The Health Insurance Portability and Accountability Act (HIPAA) was written in 1996 — long before cloud computing existed. However, the Department of Health and Human Services (HHS) has provided guidance confirming that HIPAA's Security Rule fully applies to Protected Health Information (PHI) stored or processed in cloud environments.

This creates both an opportunity and a risk: cloud platforms like AWS, Azure, and GCP offer powerful security tools that can make HIPAA compliance easier to achieve than on-premise deployments — but only if configured correctly. A misconfigured S3 bucket or an unencrypted database can create massive liability overnight.

Part 1: Business Associate Agreements (BAAs)

Before a single line of PHI touches any cloud service, you must have a signed Business Associate Agreement in place. This is non-negotiable.

Who Needs a BAA?

• Your cloud infrastructure provider (AWS, Azure, GCP — all offer HIPAA BAAs)
• Any SaaS platform that processes or stores PHI (email, helpdesk, analytics)
• Managed service providers with system access
• Backup and disaster recovery vendors
• Telehealth video platform providers

BAA Checklist

• ☑ BAA executed with all cloud infrastructure providers
• ☑ BAA covers all HIPAA-eligible services being used
• ☑ BAA stored securely with version tracking
• ☑ BAA renewal dates tracked and monitored
• ☑ Vendor subcontractor BAA chain verified

Part 2: Encryption — At Rest and In Transit

HIPAA requires "reasonable and appropriate" safeguards for PHI. While encryption is technically "addressable" (meaning you document if you don't implement it), in practice, any cloud deployment without encryption is indefensible.

Encryption at Rest

• Database: AES-256 encryption for all database tables containing PHI. Enable Transparent Data Encryption (TDE) in MySQL/SQL Server, or AWS RDS encryption.
• File storage: S3 server-side encryption (SSE-S3 or SSE-KMS), Azure Storage Service Encryption
• Backups: Ensure backup files are encrypted before transfer to backup storage
• Application servers: Full-disk encryption on all server volumes containing PHI

Encryption in Transit

• TLS 1.2 minimum, TLS 1.3 strongly recommended (disable SSLv3, TLS 1.0, 1.1)
• Valid SSL certificate with automatic renewal (Let's Encrypt or ACM)
• HSTS headers with minimum 1-year max-age
• Encrypted database connections (require_secure_transport = ON in MySQL)
• VPN or private endpoints for inter-service communication
• No PHI in URL parameters (use POST with HTTPS body)

Encryption Checklist

• ☑ All databases encrypted at rest (AES-256)
• ☑ All file storage encrypted at rest
• ☑ All backup data encrypted
• ☑ TLS 1.2+ enforced on all endpoints
• ☑ SSL certificates valid and auto-renewing
• ☑ Database connections require TLS
• ☑ HSTS implemented on all web applications

Part 3: Access Controls

The HIPAA Security Rule's Access Control standard requires unique user identification, automatic logoff, emergency access procedures, and encryption. Here's how to implement this in a cloud environment:

Identity and Access Management (IAM)

• Principle of Least Privilege: Every user and service gets only the permissions they need, nothing more
• MFA: Multi-factor authentication required for all accounts with PHI access
• No shared credentials: Every individual gets their own account — no shared login for "clinic staff"
• Service accounts: Applications authenticate with service accounts, not human credentials
• Regular access reviews: Quarterly review of who has access to what — revoke immediately on role change or termination

Application-Level Access Controls

• Role-Based Access Control (RBAC) with clinical roles (physician, nurse, biller, admin)
• Record-level access controls (providers see only their assigned patients by default)
• Automatic session timeout (15 minutes of inactivity)
• Password complexity enforcement (12+ characters, complexity requirements)
• Account lockout after 5 failed attempts
• Emergency "break glass" procedures for after-hours access

Part 4: Audit Logging and Monitoring

HIPAA requires maintaining audit logs of all PHI access — who accessed what record, when, from where. This is both a compliance requirement and an essential security tool.

What to Log

• All PHI read/write/delete operations (with user, timestamp, IP)
• Authentication events (successful and failed logins)
• Administrative actions (user creation, permission changes)
• System events (server restarts, service failures)
• Security events (intrusion attempts, anomalous access patterns)

Log Retention Requirements

HIPAA requires audit logs to be retained for a minimum of 6 years. For cloud deployments:

• Hot storage (immediate access): 90 days
• Warm storage: 1 year
• Cold archive (Glacier/Archive): 6 years
• Log integrity: Use write-once storage or cryptographic signing

Part 5: Backup and Disaster Recovery

A HIPAA-compliant backup strategy must ensure PHI availability, integrity, and protection. Your disaster recovery plan must be documented and tested.

Backup Requirements

• ☑ Automated daily full backups
• ☑ Incremental backups every 1-4 hours for active databases
• ☑ Backups stored in geographically separate location
• ☑ Backup restoration tested monthly
• ☑ Recovery Time Objective (RTO) documented (typically <4 hours)
• ☑ Recovery Point Objective (RPO) documented (typically <1 hour)
• ☑ Backup access restricted (only backup service accounts)

Part 6: Breach Notification Preparedness

Despite best efforts, breaches happen. HIPAA requires covered entities to notify affected individuals within 60 days of breach discovery, and HHS within 60 days if over 500 individuals are affected.

Breach Response Plan Checklist

• ☑ Incident response plan documented and tested annually
• ☑ HIPAA breach assessment criteria defined
• ☑ Legal counsel identified for breach response
• ☑ Breach notification templates prepared
• ☑ HHS breach portal account created
• ☑ Cyber insurance coverage reviewed for HIPAA breach coverage

The Bottom Line

HIPAA compliance for cloud-hosted healthcare applications isn't a one-time checkbox exercise — it's an ongoing program requiring regular assessment, employee training, and vendor management. The technical controls described here form the foundation, but they must be supported by documented policies, trained staff, and annual risk assessments.

For healthcare organizations that prefer a "compliance included" approach, AnueraTech's managed hosting platform is built with every item on this checklist already configured and continuously monitored.