HIPAA-Compliant Cloud Infrastructure Checklist for 2026
All Articles
Healthcare Compliance

HIPAA-Compliant Cloud Infrastructure Checklist for 2026

F
Futureaiit
Mar 17, 2026
12 min read

HIPAA cloud compliance is not a feature you can turn on. It is a set of technical, administrative, and physical safeguard requirements that must be built into every layer of your cloud infrastructure. This checklist covers the 12 technical safeguard categories that a HIPAA-compliant cloud deployment must address, with specific AWS and Azure implementation notes.

Before You Start: What HIPAA Actually Requires

The HIPAA Security Rule requires covered entities and business associates to implement "reasonable and appropriate" safeguards for electronic protected health information (ePHI). The rule does not specify exact technical implementations, which gives flexibility but also creates compliance ambiguity. The standard is whether your implementation would withstand a breach investigation, OCR audit, or malpractice inquiry.

AWS, Azure, and Google Cloud all sign Business Associate Agreements and offer HIPAA-eligible services. Using a cloud provider that offers HIPAA-eligible services is necessary but not sufficient. You are responsible for configuring those services correctly.

Checklist Category 1: Access Controls

Unique user identification, emergency access procedures, automatic logoff, and encryption and decryption mechanisms are all required under HIPAA's access control standard.

  • Every user accessing systems with ePHI has a unique, individual login. No shared credentials.
  • Role-based access controls (RBAC) limit access to ePHI to users who need it for their job functions (minimum necessary standard).
  • Multi-factor authentication (MFA) is required for all remote access and administrative access to ePHI systems.
  • Automatic session timeout is configured on all systems with ePHI access.
  • AWS IAM or Azure Active Directory policies enforce the minimum necessary access principle through policies, not individual permission grants.

Checklist Category 2: Audit Controls

HIPAA requires activity logs for hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.

  • AWS CloudTrail or Azure Monitor Logs enabled on all accounts and services that touch ePHI.
  • Logs are stored in a separate, access-controlled account or storage location that system administrators cannot modify or delete.
  • Log retention meets your state's medical records retention requirement (minimum 6 years for HIPAA, often longer under state law).
  • Application-level audit logging captures who accessed, created, modified, or deleted ePHI records.
  • Alerts configured for suspicious access patterns: off-hours access, bulk data exports, access from unusual locations.

Checklist Category 3: Integrity Controls

ePHI must be protected from improper alteration or destruction. This includes both accidental corruption and intentional modification.

  • Database integrity constraints and checksums are enabled.
  • Change tracking is enabled for ePHI records in databases.
  • S3 Object Lock or Azure Immutable Blob Storage is configured for audit logs and compliance records to prevent modification.
  • Backup data integrity is verified through regular restore testing, not just backup creation.

Checklist Category 4: Transmission Security

Technical security measures must prevent unauthorized access to ePHI during transmission.

  • All data in transit is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated and must be disabled.
  • API endpoints enforce HTTPS only. HTTP access is redirected or blocked at the load balancer level.
  • Internal service-to-service communication within the VPC also uses TLS for services handling ePHI.
  • Email containing ePHI is encrypted. Standard SMTP without encryption is not acceptable for ePHI transmission.
  • VPN or private connectivity is required for any access to ePHI systems from outside the VPC.

Checklist Category 5: Encryption at Rest

While HIPAA does not explicitly mandate encryption at rest, OCR has consistently treated it as an addressable specification that is reasonable and appropriate in virtually all circumstances.

  • All S3 buckets or Azure Blob Storage containers containing ePHI have server-side encryption enabled (AES-256 minimum).
  • EBS volumes, RDS instances, and DynamoDB tables containing ePHI have encryption enabled at creation. Enabling encryption on an existing unencrypted volume requires migration.
  • Encryption keys are managed through AWS KMS or Azure Key Vault, not stored with the data they protect.
  • Key rotation policies are configured and documented.
  • Customer-managed keys (CMK) are used for ePHI encryption rather than service-managed keys, to maintain documented key control.

Checklist Category 6: Network Isolation

Production systems containing ePHI should be isolated from development environments and from unnecessary network access.

  • ePHI production systems are in a dedicated VPC or VNet with documented network topology.
  • Production and development environments are in separate accounts (AWS) or subscriptions (Azure), not just separate environments within the same account.
  • Security groups and network ACLs restrict inbound access to ePHI systems to only the ports and sources that are required.
  • Outbound internet access from ePHI systems is controlled through a NAT gateway or proxy, not a direct internet gateway.
  • VPC Flow Logs or Azure Network Watcher are enabled to capture network traffic metadata for the VPCs containing ePHI systems.

Checklist Category 7: Vulnerability Management

  • Operating system and application patch management is automated where possible. Critical security patches are applied within a defined SLA (typically 30 days for critical, 90 days for high severity).
  • AWS Inspector or Azure Defender for Cloud is enabled for vulnerability scanning of EC2 instances and container images.
  • Container images are scanned before deployment. Containers running with known critical vulnerabilities are not deployed to production.
  • Penetration testing is conducted annually or after significant infrastructure changes.

Checklist Category 8: Backup and Disaster Recovery

  • Automated daily backups of all databases and storage containing ePHI are configured and verified.
  • Backup retention meets minimum 6-year HIPAA requirement, though state law may require longer.
  • Backups are stored in a separate AWS account or Azure subscription from production to prevent accidental deletion.
  • Cross-region backup replication is configured for systems with recovery time objectives (RTO) under 24 hours.
  • Restore procedures are documented and tested at least annually with results documented.
  • Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are documented and communicated to stakeholders.

Checklist Category 9: Business Associate Management

  • A current, executed BAA exists with your cloud provider (AWS, Azure, or GCP).
  • BAAs exist with every third-party vendor, SaaS tool, or contractor that accesses ePHI in your environment.
  • A vendor inventory is maintained listing all systems and vendors that have access to ePHI.
  • BAA renewal dates are tracked and renewals are initiated before expiration.

Checklist Category 10: Security Incident Response

  • A documented incident response plan exists that covers ePHI breach scenarios.
  • Incident response procedures include breach notification timelines per HIPAA (60 days from discovery).
  • Contacts for your HIPAA privacy officer, legal counsel, and cyber insurance provider are documented in the incident response plan.
  • AWS CloudTrail or Azure Monitor alerts are configured to notify the incident response team of potential security events.
  • Tabletop exercises are conducted annually to test incident response procedures.

Checklist Category 11: Device and Workstation Security

  • Encryption is enabled on all workstations and laptops that access or store ePHI (BitLocker for Windows, FileVault for Mac).
  • Mobile Device Management (MDM) is deployed for all devices with access to ePHI, enabling remote wipe capability.
  • Screen lock policies are enforced for all devices with ePHI access.
  • Lost or stolen device procedures are documented and tested.

Checklist Category 12: Documentation

HIPAA requires that your security policies, procedures, and safeguards be documented. Documentation is what auditors review and what demonstrates compliance in a breach investigation.

  • A written security risk analysis is conducted and documented at least annually.
  • Security policies cover all 18 categories of the HIPAA Security Rule.
  • All implemented safeguards are documented with the date of implementation.
  • Decisions not to implement an addressable safeguard are documented with the reasoning.
  • Documentation is retained for 6 years from the date of creation or last effective date.

For help implementing a HIPAA-compliant cloud infrastructure for your healthcare organization, review our healthcare IT infrastructure service or schedule a compliance assessment.

HIPAA cloud checklistHIPAA technical safeguardsPHI encryptionhealthcare cloud compliance
F

Futureaiit

AI & Technology Experts

Related Articles

Building HIPAA-Compliant AI Pipelines on AWS
Healthcare Compliance

Building HIPAA-Compliant AI Pipelines on AWS

Step-by-step guide to deploying healthcare AI models that meet HIPAA requirements using AWS services.

Read Article