Signing a BAA with a cloud provider does not make your environment HIPAA-compliant. Here is what that signature actually covers.
The BAA Scope Is Narrower Than Most People Think
AWS, Azure, and GCP will all sign Business Associate Agreements (BAAs) covering their HIPAA-eligible services. But the BAA only covers what the cloud provider controls — the physical data centre, the hypervisor, the managed service infrastructure. It does not cover how your application encrypts data, how your developers access production, how you log and monitor access to PHI, or how you respond to a breach. The shared responsibility model applies as strictly to HIPAA as it does to security.
HIPAA-Eligible Services vs Everything Else
Not every service on a cloud platform is covered by the BAA. AWS has a specific list of HIPAA-eligible services — S3, EC2, RDS, Lambda, and others are on the list, but some newer services are not. Storing PHI in a service not covered by the BAA violates HIPAA regardless of what the BAA says about other services. Audit your architecture against the provider's current HIPAA-eligible services list before assuming coverage — these lists change as new services are added.
The Technical Controls You Must Implement
Encryption at rest and in transit is the minimum. But HIPAA's Technical Safeguards require more: automatic logoff for application sessions accessing PHI, audit controls that log who accessed what data and when (not just authentication events), and integrity controls that detect unauthorised alteration of PHI. Configuring CloudTrail or Azure Monitor to capture PHI access events, and storing those logs in an immutable, access-controlled location, is required — not optional.
The Breach Notification Gap
Cloud providers will notify you of incidents affecting their infrastructure. They will not detect, investigate, or notify you of breaches within your own application — an attacker who accessed your EC2 instance using stolen credentials is your incident to detect and report, not AWS's. A HIPAA-covered entity must be able to detect breaches within its own environment. This requires SIEM capability, anomaly detection on PHI access patterns, and a tested incident response plan that includes the 60-day breach notification timeline.
- A cloud BAA covers the provider's infrastructure — not your application, access controls, or logging
- Only services on the cloud provider's HIPAA-eligible list are covered — verify your architecture against the current list
- Session audit logging, PHI access monitoring, and immutable log storage are technical requirements, not optional controls
- Breach detection within your own application is your responsibility — the cloud provider will not detect application-level breaches