Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

HIPAA in the cloud: where the compliance gap actually sits


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9136
Topic starter  

TL;DR: HIPAA compliance in the cloud depends on protecting ePHI under the Security Rule while the provider secures infrastructure and the customer secures configuration, access, encryption, and monitoring, according to Orca Security. The liability split is the trap: BAA coverage does not remove the need for continuous control, evidence, and drift management across multi-cloud estates.

NHIMG editorial — based on content published by Orca Security: HIPAA compliance in the cloud

Questions worth separating out

Q: How should security teams govern ePHI in cloud environments?

A: They should treat ePHI as a continuously governed data class, not a static asset.

Q: Why do BAAs not make a cloud environment HIPAA compliant by themselves?

A: Because a BAA only defines the provider’s obligations for the platform it runs.

Q: What breaks when cloud teams cannot find all copies of ePHI?

A: Every control becomes partial.

Practitioner guidance

  • Map ePHI to every cloud service that touches it Build a live inventory of storage, databases, backups, analytics jobs, and logs that can contain ePHI.
  • Tighten identity scope around PHI-bearing workloads Eliminate shared access, remove wildcard permissions, and review roles and service accounts that can reach PHI data stores.
  • Standardise encryption with customer-controlled keys Enable encryption at rest and in transit for every PHI-bearing service, then separate key administration from data access.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

  • Platform-by-platform HIPAA eligibility guidance for AWS, Azure, and Google Cloud services that can store or process ePHI
  • Step-by-step cloud compliance checklist covering BAAs, encryption, logging, access controls, and continuous monitoring
  • Detailed mapping of HIPAA Security Rule requirements to concrete cloud settings and configuration examples
  • Operational guidance on maintaining audit-ready evidence across multi-cloud environments

👉 Read Orca Security's guide to HIPAA compliance in the cloud →

HIPAA in the cloud: where the compliance gap actually sits?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8575
 

HIPAA cloud compliance is fundamentally a visibility and accountability problem, not a checkbox problem. The cloud provider can cover infrastructure, but it cannot prove your customer-side IAM, encryption, and logging decisions are fit for ePHI. That is why the compliance burden remains on the organisation that defines access and data placement. Practitioners should treat every cloud service that can touch ePHI as a governed control surface, not a purchased assurance.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • The same study found that 46% of organisations confirmed a non-human identity breach, while 26% only suspected one.

A question worth separating out:

Q: Who is accountable when ePHI is exposed in a cloud breach?

A: The provider may be accountable for its platform obligations under the BAA, but the organisation remains accountable for its own configuration, access model, and monitoring. HIPAA responsibility does not transfer to the cloud vendor. If the exposure came from mis-scoped permissions, public storage, or missing controls, the customer owns that failure.

👉 Read our full editorial: HIPAA compliance in the cloud is a shared responsibility problem



   
ReplyQuote
Share: