SaaS & Cloud in Healthcare

Healthcare organizations increasingly rely on cloud services and SaaS applications. As a technology provider handling Protected Health Information (PHI), you become a Business Associate under HIPAA—and compliance is your responsibility.

Key Point

There's no "HIPAA certification" for cloud services. You demonstrate compliance through implementing required safeguards, signing Business Associate Agreements (BAAs), conducting risk assessments, and potentially obtaining third-party attestations like SOC 2 or HITRUST.

You're a Business Associate

If your SaaS or cloud service handles PHI for a healthcare organization, you're a Business Associate. This includes:

  • EHR/EMR Systems: Electronic health record platforms
  • Practice Management: Scheduling, billing, patient portals
  • Telehealth Platforms: Video consultation services
  • Data Analytics: Population health, clinical analytics
  • Cloud Infrastructure: IaaS/PaaS hosting healthcare workloads
  • Communication Tools: Secure messaging, email with PHI
  • Backup/Storage: Cloud backup services storing ePHI

What This Means

As a Business Associate, you must:

  • Comply with applicable Security Rule requirements
  • Sign BAAs with covered entities
  • Sign BAAs with your subcontractors (e.g., cloud providers)
  • Report breaches to covered entities
  • Implement safeguards to protect ePHI

The Shared Responsibility Model

In cloud and SaaS deployments, HIPAA compliance is shared between parties. Understanding this division is critical.

IaaS Shared Responsibility (e.g., AWS EC2, Azure VMs)

Control Area Cloud Provider You (Customer)
Physical data center security
Hypervisor/infrastructure
Network infrastructure
Operating system configuration
Application security
Data encryption
Access management
Logging/monitoring Partial (infrastructure) Partial (application)

PaaS Shared Responsibility (e.g., AWS RDS, Azure SQL)

Cloud provider takes on more responsibility (OS patching, runtime), but you still own:

  • Application logic and security
  • Data classification and encryption choices
  • Access control configuration
  • Backup policies and retention

SaaS Shared Responsibility (You're the SaaS Provider)

You own most controls within your application, but your cloud provider handles infrastructure. Your customers rely on you for:

  • Application-level security controls
  • Data encryption implementation
  • Access management for their users
  • Audit logging and reporting
  • Breach notification

Cloud Provider Considerations

Major Cloud Providers and HIPAA

Provider BAA Available HIPAA-Eligible Services Key Resources
AWS Yes (via AWS Artifact) Most services (see list) AWS HIPAA Whitepaper
Microsoft Azure Yes (Online Services Terms) Most Azure services Azure HIPAA/HITRUST Blueprint
Google Cloud Yes (Data Processing Amendment) Core GCP services GCP HIPAA Implementation Guide

Before Using a Cloud Service

  • Confirm HIPAA eligibility: Not all services are covered under BAA
  • Execute BAA: Sign the BAA before processing any PHI
  • Configure properly: Cloud providers offer HIPAA-eligible services, but you must configure them correctly
  • Review compliance docs: Understand what the provider covers vs. your responsibilities

Critical Controls for SaaS/Cloud

Access Controls

  • Unique user IDs for all users
  • Strong authentication (MFA strongly recommended)
  • Role-based access control
  • Automatic session timeout
  • Emergency access procedures

Encryption

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256)
  • Key management procedures
  • Database encryption (TDE or column-level)
  • Backup encryption

Audit Controls

  • Log all PHI access
  • Log authentication events
  • Log administrative actions
  • Retain logs for 6+ years (recommended)
  • Protect logs from tampering
  • Regular log review or automated monitoring

Data Integrity

  • Input validation
  • Error handling that doesn't expose PHI
  • Data backup procedures
  • Data recovery testing

Transmission Security

  • HTTPS-only (redirect HTTP to HTTPS)
  • Strong cipher suites
  • Certificate management
  • API security (authentication, rate limiting)

HIPAA-Ready Architecture Patterns

Network Segmentation

Isolate PHI processing from other workloads:

  • Use VPCs/VNets dedicated to healthcare workloads
  • Implement network security groups
  • Use private subnets for databases
  • Deploy WAF for public-facing applications

Multi-Tenant Considerations

If your SaaS serves multiple healthcare clients:

  • Data isolation: Logical (schema/tenant ID) or physical (separate databases)
  • Access controls: Ensure tenant A cannot access tenant B's data
  • Audit logging: Log which tenant data is accessed
  • Encryption keys: Consider per-tenant keys for sensitive workloads

DevOps/CI-CD Security

  • No PHI in development/test environments (use de-identified data)
  • Secure the deployment pipeline
  • Infrastructure as Code for consistent, auditable deployments
  • Vulnerability scanning in CI/CD

BAA Requirements

Business Associate Agreements are required between:

  • You (SaaS provider) and your healthcare customers
  • You and your subcontractors (cloud providers, third-party services)

What Your BAA Must Include

  • Permitted and required uses of PHI
  • Agreement not to use/disclose PHI other than as permitted
  • Requirement to implement appropriate safeguards
  • Requirement to report breaches
  • Requirement that subcontractors agree to same restrictions
  • Right for covered entity to terminate if BAA is violated
  • Return or destruction of PHI at termination

Your cloud provider's BAA protects them - it doesn't automatically make you compliant. You must implement controls within your application and sign BAAs with your healthcare customers.

HIPAA SaaS Cloud