HIPAA Compliant Cloud Hosting: The Complete Guide for 2026

If you're building software that touches protected health information (PHI), HIPAA compliance isn't optional. It's federal law. Violations start at $100 per incident and scale to $1.5 million per violation category per year.

This guide covers what HIPAA compliance actually requires from your cloud hosting provider, and how to avoid the mistakes that get healthcare startups fined.

What HIPAA requires from your hosting

HIPAA doesn't certify cloud providers. There's no "HIPAA certified" badge. Instead, the law requires covered entities and business associates to implement specific safeguards.

Your hosting provider is a business associate. They must:

1. Sign a Business Associate Agreement (BAA) — legally binding contract specifying their obligations
2. Encrypt PHI at rest and in transit — AES-256 for storage, TLS 1.2+ for transport
3. Implement access controls — role-based access, unique user IDs, automatic session timeout
4. Maintain audit trails — log every access to PHI, retain for 6 years
5. Have breach notification procedures — notify you within 60 days of discovering a breach

The BAA is non-negotiable

A Business Associate Agreement is the legal foundation of HIPAA-compliant hosting. Without one, you're in violation before you write a single line of code.

Your BAA should cover:

• What PHI the provider will access
• How they'll protect it
• What happens in a breach
• Termination and data return/destruction procedures
• Subcontractor obligations

Not all cloud providers will sign BAAs. Most budget hosting providers won't. Even major providers require you to be on specific tiers — AWS requires you to configure a HIPAA-eligible account, GCP requires a paid support plan.

On RaidFrame, the BAA is included on Enterprise plans. No extra paperwork, no special configurations.

Encryption requirements

At rest

All PHI stored on disk must be encrypted. This includes:

• Database contents
• File storage (documents, images, PDFs)
• Backups
• Log files that may contain PHI

Use AES-256 encryption. Most managed databases handle this automatically, but verify it's enabled.

In transit

All data moving between systems must be encrypted:

• Client to server: TLS 1.2 or higher
• Service to service: mTLS or TLS
• Database connections: SSL required, not optional

# Verify your SSL configuration
curl -v https://your-app.com 2>&1 | grep "SSL connection"
# Should show TLS 1.2 or 1.3

Key management

Encryption keys must be managed securely:

• Rotate keys annually at minimum
• Use a dedicated KMS (not keys stored in environment variables)
• Separate key management from data storage

Access controls

HIPAA requires the minimum necessary standard — users should only access the PHI they need for their job function.

Implement:

• Role-based access control (RBAC) — define roles like clinician, billing, admin
• Unique user IDs — no shared accounts, ever
• Automatic session timeout — 15 minutes for clinical applications
• Multi-factor authentication — required for any system accessing PHI
• Emergency access procedures — documented process for break-glass scenarios

Audit trails

Every access to PHI must be logged. Every modification must be logged. This isn't optional.

Your audit logs must capture:

• Who accessed the data (user ID)
• What data was accessed
• When the access occurred (timestamp)
• Where the access came from (IP, device)
• Why (if applicable — linked to a workflow or request)

Retain audit logs for 6 years. Store them separately from application data. Make them tamper-evident (append-only, cryptographically signed).

Infrastructure architecture

A HIPAA-compliant architecture separates concerns:

[Internet] → [WAF/CDN] → [Load Balancer] → [App Servers]
                                                  ↓
                                          [Encrypted Database]
                                                  ↓
                                          [Encrypted Backups]
 
[Audit Logs] → [Separate encrypted storage, 6yr retention]
[Access Logs] → [SIEM for real-time monitoring]

Key requirements:

• Network segmentation — PHI systems isolated from non-PHI systems
• No PHI in logs — application logs must be scrubbed of PHI
• Backup encryption — backups encrypted with separate keys
• Geographic restrictions — PHI must stay within agreed-upon jurisdictions

Common HIPAA violations in cloud hosting

1. No BAA signed The most common violation. You moved to a new hosting provider and forgot the BAA. Immediate violation.

2. Unencrypted database backups Your database is encrypted, but automated backups are stored unencrypted in S3. Classic oversight.

3. PHI in application logs Your error logging captures request bodies that contain patient names and SSNs. Now your log aggregator is a HIPAA liability.

4. Shared database credentials Three developers share the same database password. No individual accountability, no audit trail.

5. No breach response plan You discover a potential breach but don't have a documented response procedure. The clock is ticking — 60 days to notify affected individuals.

Choosing a HIPAA-compliant hosting provider

Questions to ask:

• Do you sign BAAs? At what tier?
• Is encryption at rest enabled by default?
• Do you provide audit logging?
• What's your breach notification timeline?
• Can you provide SOC 2 Type II reports?
• Do you support network segmentation?
• Where is data physically stored?

HIPAA compliance on RaidFrame

RaidFrame Enterprise includes:

• BAA included — signed as part of onboarding
• AES-256 encryption at rest — all databases and storage
• TLS 1.3 in transit — enforced, not optional
• Audit logging — every data access logged, 6-year retention
• SOC 2 Type II — audited annually
• Network isolation — dedicated VPC per customer
• US-only data residency — configurable per region

Healthcare applications require infrastructure built for compliance from day one. Retrofitting compliance is 10x more expensive than building it in.