{"id":23076,"date":"2026-05-28T12:27:43","date_gmt":"2026-05-28T12:27:43","guid":{"rendered":"https:\/\/engineerbabu.com\/blog\/?p=23076"},"modified":"2026-05-29T04:48:35","modified_gmt":"2026-05-29T04:48:35","slug":"hipaa-compliant-cloud-storage-healthcare-apps","status":"publish","type":"post","link":"https:\/\/engineerbabu.com\/blog\/hipaa-compliant-cloud-storage-healthcare-apps\/","title":{"rendered":"HIPAA Compliant Cloud Storage for Healthcare Apps in the USA: The Definitive 2026 Guide"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">This is the question every <\/span><a href=\"https:\/\/engineerbabu.com\/blog\/how-to-build-a-healthcare-app-in-the-usa\/\"><span style=\"font-weight: 400;\">healthcare app<\/span><\/a><span style=\"font-weight: 400;\"> developer Googles, often at 11pm before a demo with a hospital client:<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">&#8220;Is AWS S3 HIPAA compliant?&#8221;<\/span><\/i><\/p>\n<p><b>The honest answer is:<\/b><span style=\"font-weight: 400;\"> AWS S3 can be HIPAA compliant. Whether your specific S3 bucket is HIPAA compliant depends entirely on how you configured it. An AWS HIPAA BAA does not make your storage compliant, it establishes a legal framework that your configuration must then fulfill.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This guide covers every major cloud storage option, what HIPAA actually requires of cloud storage, and the specific configuration that makes the difference between compliant and non-compliant.<\/span><\/p>\n<h2><b>What Makes Cloud Storage HIPAA Compliant?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">HIPAA compliant cloud storage has four non-negotiable properties: (1) a signed Business Associate Agreement between the healthcare organization and the cloud provider; (2) encryption of all PHI at rest (minimum AES-256) and in transit (TLS 1.3); (3) access controls ensuring only authorized users and processes can access PHI-containing storage; and (4) audit logging of all access to PHI, retained for a minimum of six years.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The cloud provider&#8217;s infrastructure being &#8220;HIPAA-eligible&#8221; is a prerequisite, not a guarantee, the configuration of that infrastructure is the responsibility of the healthcare organization or developer.<\/span><\/p>\n<h2><b>The Four HIPAA Requirements for Cloud Storage<\/b><\/h2>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Business Associate Agreement (BAA)<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The cloud storage provider must sign <\/span><a href=\"https:\/\/engineerbabu.com\/blog\/what-is-hipaa-baa-healthcare-apps-usa\/\"><span style=\"font-weight: 400;\">HIPAA BAA<\/span><\/a><span style=\"font-weight: 400;\"> before any PHI is stored. The BAA establishes legal accountability. Without it, storing PHI is a HIPAA violation regardless of how well the storage is configured.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Encryption at Rest<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">All PHI stored in the cloud must be encrypted. The minimum standard is AES-256 (Advanced Encryption Standard with 256-bit keys). This applies to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">S3 object content<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Database file storage<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Backup files<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Log files if they contain PHI<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Cached data if it contains PHI<\/span><\/li>\n<\/ul>\n<p><b>Who holds the encryption keys matters for the BAA:<\/b><span style=\"font-weight: 400;\"> if the cloud provider manages encryption keys (server-side encryption with AWS-managed keys, SSE-S3), the provider is fully a business associate. If you manage your own keys (SSE-C, or AWS KMS with customer-managed keys), the provider has less contact with readable PHI. Either approach is HIPAA compliant; the key management approach affects the BAA scope discussion.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Encryption in Transit<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">All data movement to and from cloud storage must be encrypted. TLS 1.2 minimum; TLS 1.3 strongly recommended. For S3: enforce <\/span><span style=\"font-weight: 400;\">aws:SecureTransport<\/span><span style=\"font-weight: 400;\"> condition in bucket policies, buckets that allow HTTP requests are non-compliant.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Access Controls<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>Least-privilege access: <\/b><span style=\"font-weight: 400;\">only the specific services, users, and processes that need PHI access should have it. <\/span><b>For S3:<\/b><span style=\"font-weight: 400;\"> bucket policies and IAM policies defining precisely who can read, write, and delete objects. Public access must be blocked, S3 buckets containing PHI must never be publicly accessible.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-23094\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/01_four_requirements.png\" alt=\"\" width=\"1920\" height=\"1080\" title=\"\"><\/p>\n<h2><b>The Major Cloud Storage Options: HIPAA Status in 2026<\/b><\/h2>\n<ul>\n<li aria-level=\"1\">\n<h3><b>AWS S3 (Amazon Web Services)<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>HIPAA Status:<\/b><span style=\"font-weight: 400;\"> HIPAA-eligible with signed BAA<\/span><\/p>\n<p><a href=\"https:\/\/www.google.com\/aclk?sa=L&amp;ai=DChsSEwiF9uT2vNuUAxUUldYIHcZHPKYYACICCAEQABoCdGw&amp;ae=2&amp;aspm=1&amp;co=1&amp;ase=2&amp;gclid=Cj0KCQjwz9_QBhD_ARIsADnSCfB1Cl34-Ppip9wf51sxgnteveNg6GOZuGx3QpB1xD_6BCDmQseP0IYaAoJNEALw_wcB&amp;cid=CAASWuRoP5aH2W3AiP65RgB1EuJceE2AADgF-i2vjTlbkRh1Cwn7hoOJoe4XerNTuXNAH2wp_buJyD8guCMyf0W0Fpuv4cyM0dhxSvw1VfvjL_ZdLn4iRCxUOHEqiw&amp;cce=2&amp;category=acrcp_v1_35&amp;sig=AOD64_0M4sRMtzc2zkmiZl5o1b3nUGCaeg&amp;q&amp;nis=4&amp;adurl&amp;ved=2ahUKEwiG1N32vNuUAxWzrlYBHZ0HB18Q0Qx6BAgOEAE\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS S3<\/span><\/a><span style=\"font-weight: 400;\"> is the most widely used HIPAA-compliant object storage in US healthcare. AWS signs a HIPAA BAA via the AWS Artifact portal in the AWS Management Console. Once the BAA is signed, S3 is covered for PHI storage when configured correctly.<\/span><\/p>\n<p><b>Required configuration for HIPAA compliance:<\/b><\/p>\n<p><span style=\"font-weight: 400;\"># HIPAA-compliant S3 bucket configuration<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\"># 1. Block all public access<\/span><\/p>\n<p><span style=\"font-weight: 400;\">aws s3api put-public-access-block \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;bucket your-healthcare-bucket \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;public-access-block-configuration \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true&#8221;<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\"># 2. Enable default encryption (AES-256)<\/span><\/p>\n<p><span style=\"font-weight: 400;\">aws s3api put-bucket-encryption \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;bucket your-healthcare-bucket \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;server-side-encryption-configuration <\/span><span style=\"font-weight: 400;\">&#8216;{<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0&#8220;Rules&#8221;: [{<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;ApplyServerSideEncryptionByDefault&#8221;: {<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;SSEAlgorithm&#8221;: &#8220;aws:kms&#8221;,<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;KMSMasterKeyID&#8221;: &#8220;arn:aws:kms:us-east-1:ACCOUNT:key\/KEY-ID&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0}]<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0}&#8217;<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\"># 3. Enable access logging<\/span><\/p>\n<p><span style=\"font-weight: 400;\">aws s3api put-bucket-logging \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;bucket your-healthcare-bucket \\<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;bucket-logging-status <\/span><span style=\"font-weight: 400;\">&#8216;{<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0&#8220;LoggingEnabled&#8221;: {<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;TargetBucket&#8221;: &#8220;your-audit-log-bucket&#8221;,<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;TargetPrefix&#8221;: &#8220;s3-access-logs\/&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0}<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0}&#8217;<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\"># 4. Enforce HTTPS-only access<\/span><\/p>\n<p><span style=\"font-weight: 400;\"># Add to bucket policy:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">{<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;Condition&#8221;<\/span><span style=\"font-weight: 400;\">: {<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;Bool&#8221;<\/span><span style=\"font-weight: 400;\">: {<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;aws:SecureTransport&#8221;<\/span><span style=\"font-weight: 400;\">: <\/span><span style=\"font-weight: 400;\">&#8220;false&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">}<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0},<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;Effect&#8221;<\/span><span style=\"font-weight: 400;\">: <\/span><span style=\"font-weight: 400;\">&#8220;Deny&#8221;<\/span><span style=\"font-weight: 400;\">,<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;Principal&#8221;<\/span><span style=\"font-weight: 400;\">: <\/span><span style=\"font-weight: 400;\">&#8220;*&#8221;<\/span><span style=\"font-weight: 400;\">,<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0<\/span><span style=\"font-weight: 400;\">&#8220;Action&#8221;<\/span><span style=\"font-weight: 400;\">: <\/span><span style=\"font-weight: 400;\">&#8220;s3:*&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">}<\/span><\/p>\n<p><b>AWS services covered under the HIPAA BAA (relevant to healthcare apps):<\/b><span style=\"font-weight: 400;\"> EC2, S3, RDS, DynamoDB, Lambda, API Gateway, CloudTrail, CloudWatch, KMS, Cognito, SNS, SQS, ECS, EKS, SageMaker<\/span><\/p>\n<p><b>AWS services NOT covered under the HIPAA BAA (cannot store PHI):<\/b><span style=\"font-weight: 400;\"> Amazon Rekognition (standard), Amazon Transcribe (standard), some analytics services<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Microsoft Azure Blob Storage<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>HIPAA Status:<\/b><span style=\"font-weight: 400;\"> HIPAA-eligible with signed BAA via Microsoft Online Services BAA<\/span><\/p>\n<p><a href=\"https:\/\/azure.microsoft.com\/en-in\/pricing\/purchase-options\/azure-account\/search\/?ef_id=_k_Cj0KCQjwz9_QBhD_ARIsADnSCfCMa5_nPFIMxIlbHSrhWQ5QmdhgvNq9-_wGvZhv4yv-HRrmAFPPidsaAmDdEALw_wcB_k_&amp;OCID=AIDcmmf1elj9v5_SEM__k_Cj0KCQjwz9_QBhD_ARIsADnSCfCMa5_nPFIMxIlbHSrhWQ5QmdhgvNq9-_wGvZhv4yv-HRrmAFPPidsaAmDdEALw_wcB_k_&amp;gad_source=1&amp;gad_campaignid=23650569745&amp;gbraid=0AAAAADcJh_uMk5qpxhnCKNjnK12FCp-d9&amp;gclid=Cj0KCQjwz9_QBhD_ARIsADnSCfCMa5_nPFIMxIlbHSrhWQ5QmdhgvNq9-_wGvZhv4yv-HRrmAFPPidsaAmDdEALw_wcB\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Azure Blob Storage<\/span><\/a><span style=\"font-weight: 400;\"> with the Microsoft HIPAA BAA is the alternative most commonly chosen for organizations in the Microsoft ecosystem. Configuration requirements parallel AWS: encryption at rest (Azure Storage Service Encryption enabled by default, 256-bit AES), TLS in transit, access logging via Azure Monitor, and Azure Active Directory-based access control.<\/span><\/p>\n<p><b>Azure services covered under the HIPAA BAA:<\/b><span style=\"font-weight: 400;\"> Azure Blob Storage, Azure Files, Azure SQL Database, Azure Active Directory, Azure Key Vault, Azure Monitor, Azure Container Services, Azure Healthcare APIs (FHIR-native storage)<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Google Cloud Storage<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>HIPAA Status:<\/b><span style=\"font-weight: 400;\"> HIPAA-eligible with signed BAA via Google Cloud HIPAA BAA<\/span><\/p>\n<p><a href=\"https:\/\/www.google.com\/aclk?sa=L&amp;ai=DChsSEwiRud2TvduUAxXMkmYCHWL7ENMYACICCAEQABoCc20&amp;ae=2&amp;co=1&amp;ase=2&amp;gclid=Cj0KCQjwz9_QBhD_ARIsADnSCfCgRvksL6LamZnTEQk0_bkC-xM0tIqcD27AOSmzz9d7vsXKjpiYVX0aAhQ-EALw_wcB&amp;ei=FvEXavb8HvCdseMP3JDcgAQ&amp;cid=CAASWuRoLUGCY06rH-2dIaAw0y6OWqFwntRXTIKto8LDcvglzsB4hUsrPRCOCvpwBbbkNufoN-L8G_qbb-il6jIb_ga-wJO6xKsOthQvRXYFrPa1HS2ab2YhrUyrbQ&amp;cce=2&amp;category=acrcp_v1_71&amp;sig=AOD64_2TeFmb_5W86mz87PK43yVWPx0EhQ&amp;q&amp;sqi=2&amp;nis=4&amp;adurl&amp;ved=2ahUKEwj239aTvduUAxXwTmwGHVwIF0AQ0Qx6BAgMEAE\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Google Cloud Storage<\/span><\/a><span style=\"font-weight: 400;\"> with the Google Cloud HIPAA BAA provides equivalent PHI storage capability. Google Cloud <\/span><a href=\"https:\/\/engineerbabu.com\/blog\/healthcare-apis-to-build-secure-apps\/\"><span style=\"font-weight: 400;\">Healthcare API<\/span><\/a><span style=\"font-weight: 400;\"> provides FHIR R4-native storage specifically designed for healthcare applications, the most developer-friendly option for teams building FHIR-native systems.<\/span><\/p>\n<p><b>Notable for healthcare app builders:<\/b><span style=\"font-weight: 400;\"> Google Cloud Healthcare API includes native FHIR R4 server capability, you can store and query healthcare data in FHIR format without building a custom FHIR server. Covered under the Google Cloud HIPAA BAA.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Firebase (Google)<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>HIPAA Status:<\/b><span style=\"font-weight: 400;\"> Conditionally HIPAA-eligible, requires careful configuration<\/span><\/p>\n<p><a href=\"https:\/\/firebase.google.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Firebase<\/span><\/a><span style=\"font-weight: 400;\"> CAN be HIPAA compliant, but this is one of the most commonly misconfigured options in healthcare app development:<\/span><\/p>\n<p><b>HIPAA-eligible Firebase services (require Google Cloud HIPAA BAA):<\/b><span style=\"font-weight: 400;\"> Cloud Firestore, Cloud Functions, Cloud Storage for Firebase, Firebase Authentication<\/span><\/p>\n<p><b>Not HIPAA-eligible Firebase services (never use with PHI):<\/b><span style=\"font-weight: 400;\"> Firebase Analytics, Firebase Crashlytics, Firebase Remote Config, Firebase Performance Monitoring, Firebase A\/B Testing<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Many developers build Firebase apps that inadvertently route PHI through Analytics or Crashlytics before realizing these services are not covered. The BAA must be explicitly enabled, and only the covered services can touch PHI.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>MongoDB Atlas Healthcare<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><b>HIPAA Status:<\/b><span style=\"font-weight: 400;\"> HIPAA-eligible with BAA on M10+ dedicated clusters<\/span><\/p>\n<p><a href=\"https:\/\/www.google.com\/aclk?sa=L&amp;pf=1&amp;ai=DChsSEwimluGmvduUAxV9bA8CHWsqAsYYACICCAEQAxoCdGI&amp;co=1&amp;ase=2&amp;gclid=Cj0KCQjwz9_QBhD_ARIsADnSCfCt85cJeYeAh-RBPrd8pi8_RY5FX3dohqdMtlLth4WBb2CcF8BICvQaAgk5EALw_wcB&amp;cid=CAASWuRoq8fxxBH275lA9WHsY7Ox1hspjdAViLMgvbGSRbxrKJhtzjBSUMvr8ORe2Cm1foUuWSGmoST4bOQjUfv_OigUqqLqn2WojR4dHmZOYXh6KV6YgnpBfK-s6w&amp;cce=2&amp;category=acrcp_v1_32&amp;sig=AOD64_3tgMHoZb8d7dHo-_0LJx5tT1qQtg&amp;q&amp;nis=4&amp;adurl=https:\/\/www.mongodb.com\/lp\/cloud\/atlas\/try4-reg?utm_source%3Dgoogle%26utm_campaign%3Dsearch_gs_pl_evergreen_atlas_core-high-int_prosp-brand_gic-null_apac-in_ps-all_desktop_eng_lead%26utm_term%3Dmongodb%2520atlas%26utm_medium%3Dcpc_paid_search%26utm_ad%3De%26utm_ad_campaign_id%3D19617021259%26adgroup%3D173739098353%26cq_cmp%3D19617021259%26gad_source%3D1%26gad_campaignid%3D19617021259%26gbraid%3D0AAAAADQ14004NOLjOVIq3PXiEEK34JY4Y%26gclid%3DCj0KCQjwz9_QBhD_ARIsADnSCfCt85cJeYeAh-RBPrd8pi8_RY5FX3dohqdMtlLth4WBb2CcF8BICvQaAgk5EALw_wcB&amp;ved=2ahUKEwiP2dqmvduUAxVSh1YBHQvSN5MQ0Qx6BAgXEAE\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">MongoDB Atlas<\/span><\/a><span style=\"font-weight: 400;\"> offers a HIPAA BAA for M10 and larger dedicated clusters. Shared and serverless clusters are not covered. If you&#8217;re using MongoDB as your PHI database: use dedicated M10+ cluster, sign the Atlas BAA, enable encryption at rest (available at M10+), and configure VPC peering to restrict network access.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-23095\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/02_platform_comparison.png\" alt=\"\" width=\"1920\" height=\"1240\" title=\"\"><\/p>\n<h2><b>Common Non-Compliant Storage (Never Use with PHI)<\/b><\/h2>\n<table>\n<tbody>\n<tr>\n<td><b>Service<\/b><\/td>\n<td><b>BAA Available<\/b><\/td>\n<td><b>Notes<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Dropbox (standard)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Personal\/business Dropbox lacks healthcare BAA<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Google Drive (standard)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Standard Google Drive has no HIPAA BAA<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">GitHub \/ GitLab repositories<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Never commit PHI to source control<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Heroku<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Heroku does not sign HIPAA BAAs<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Vercel (standard)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Check current status before use<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Netlify<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No<\/span><\/td>\n<td><span style=\"font-weight: 400;\">No HIPAA BAA available<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-23097\" src=\"https:\/\/engineerbabu.com\/blog\/wp-content\/uploads\/2026\/05\/05_non_compliant.png\" alt=\"\" width=\"1920\" height=\"1080\" title=\"\"><\/p>\n<h2><b>The Backup and Disaster Recovery Dimension<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">HIPAA requires organizations to maintain policies for backup, recovery, and business continuity. For cloud storage:<\/span><\/p>\n<p><b>Backup requirements:<\/b><span style=\"font-weight: 400;\"> Regular automated backups of PHI-containing storage. AWS S3 Versioning + lifecycle policies. RDS automated backups with point-in-time recovery. Backup retention matching your data retention policy (minimum 6 years for certain HIPAA records).<\/span><\/p>\n<p><b>Disaster recovery:<\/b><span style=\"font-weight: 400;\"> Geographic redundancy for production PHI storage. AWS S3 Cross-Region Replication with encryption enabled on the destination bucket. RDS Multi-AZ deployment.<\/span><\/p>\n<p><b>Access during outages:<\/b><span style=\"font-weight: 400;\"> HIPAA requires emergency access procedures, the ability to access PHI when primary access controls are unavailable. Document and test these procedures.<\/span><\/p>\n<h2><b>The Audit Logging Requirement<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">HIPAA&#8217;s audit control standard (45 CFR \u00a7164.312(b)) requires that every access to PHI, read, write, delete is logged and the logs are retained for 6 years.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For S3:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable S3 Server Access Logging (who accessed what object, when)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable AWS CloudTrail (API-level logging of all AWS operations)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Route logs to a separate, dedicated audit log bucket (not the same bucket containing PHI, admins cannot modify their own access logs)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable S3 Object Lock with Governance mode on the audit log bucket (prevents log modification)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Retention policy: 6 years minimum<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">These logs are the first thing OCR requests in a HIPAA audit. If they don&#8217;t exist, the absence is itself a violation.<\/span><\/p>\n<p><b>Author:<\/b><span style=\"font-weight: 400;\"> Mayank Pratap | Co-Founder, EngineerBabu | Google AI Accelerator 2024 \u00b7 CMMI Level 5<\/span><\/p>\n<h2><b>FAQ about HIPAA compliant cloud storage healthcare apps<\/b><\/h2>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Is AWS S3 HIPAA compliant?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">AWS S3 is HIPAA-eligible, meaning AWS will sign a BAA and the service can be configured for HIPAA compliance. Whether your specific S3 bucket is compliant depends on your configuration: BAA signed, encryption enabled, public access blocked, access logging enabled, TLS enforced, least-privilege IAM policies applied.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Is Google Firebase HIPAA compliant?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Conditionally. Firebase&#8217;s core services (Firestore, Cloud Functions, Cloud Storage, Authentication) are HIPAA-eligible with the Google Cloud BAA properly signed and configured. Firebase Analytics, Crashlytics, Remote Config, and Performance Monitoring are not covered and cannot receive PHI. Many developers inadvertently route PHI through uncovered Firebase services.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>Can I store PHI in GitHub or source code repositories?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Never. No major source code repository (GitHub, GitLab, Bitbucket) signs HIPAA BAAs. Real PHI must never appear in source code, commits, issues, pull requests, or log files committed to repositories. Development must use synthetic data. Production PHI must never touch developer environments without explicit compliance controls.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>How long must HIPAA audit logs be retained?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Minimum 6 years from creation or last effective date. Audit logs must be stored in a tamper-proof system, typically AWS CloudTrail with S3 Object Lock enabled and protected from modification by administrators.<\/span><\/p>\n<ul>\n<li aria-level=\"1\">\n<h3><b>What encryption is required for HIPAA cloud storage?<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">AES-256 at rest, TLS 1.2 minimum (TLS 1.3 recommended) in transit. Key management options: AWS-managed keys (SSE-S3), AWS KMS with AWS-managed keys, or AWS KMS with customer-managed keys. All are HIPAA compliant; customer-managed keys provide the highest control over PHI access.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the question every healthcare app developer Googles, often at 11pm before a demo with a hospital client: &#8220;Is AWS S3 HIPAA compliant?&#8221; The honest answer is: AWS S3 can be HIPAA compliant. Whether your specific S3 bucket is HIPAA compliant depends entirely on how you configured it. An AWS HIPAA BAA does not [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":23099,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1246],"tags":[],"class_list":["post-23076","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-healthtech"],"_links":{"self":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts\/23076","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/comments?post=23076"}],"version-history":[{"count":3,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts\/23076\/revisions"}],"predecessor-version":[{"id":23098,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/posts\/23076\/revisions\/23098"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/media\/23099"}],"wp:attachment":[{"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/media?parent=23076"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/categories?post=23076"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/engineerbabu.com\/blog\/wp-json\/wp\/v2\/tags?post=23076"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}