When I audit small to mid-sized SaaS companies in the healthcare space, there’s one assumption I encounter over and over again: “We’re in the cloud, so compliance is handled.” It’s an easy misconception to fall into. After all, AWS, Azure, and Google Cloud talk extensively about HIPAA and HITRUST capabilities. But here’s the quiet truth—moving to the cloud doesn’t make you compliant. It just changes how you must prove it. And that gap between expectation and responsibility is where most startups get tripped up. My job, more often than not, is less about pointing out failures and more about translating what regulators actually expect when protected health information (PHI) lives in cloud environments.
Many founders and CTOs I meet start with the same question: “Is cloud storage HIPAA compliant by default?” They assume that because they use AWS, Azure, or Google Cloud—and checked a box about HIPAA during setup—they’re already covered. That’s usually the first myth I have to unwind.
Who is Actually Responsible for HIPAA Compliance in the Cloud—the Provider or the Customer?
There is no such thing as a HIPAA-certified cloud. A provider can sign a BAA and offer all the right tools, but “Who is actually responsible for HIPAA compliance in the cloud—the provider or the customer?” remains one of the biggest misunderstandings I see. The simple answer? Infrastructure providers secure the building. You secure what happens inside your apartment. Access controls, logging, incident response, and backup plans are always the responsibility of the SaaS organization.
How Does HIPAA Compliance Affect the Implementation of Access Controls in the Cloud?
I once audited a behavioral health SaaS platform that assumed encryption at rest meant compliance was “handled.” But it’s not just a technical question—it’s foundational. HIPAA expects role-based access, unique user accounts, MFA, and regular access reviews. Shared or generic logins like “admin” that are accessed by multiple individuals would result in an instant audit finding for HIPAA. When I bring up monitoring and alerts, I sometimes get silence. Many teams haven’t enabled CloudTrail logs or centralized SIEM alerts.
What Is the Best Way to Maintain Continuous HIPAA Compliance in the Cloud?
Treat your environment like something that can drift out of compliance at any moment. Continuous monitoring tools, configuration drift detection, quarterly risk reviews—these aren’t optional in healthcare SaaS. They’re essential.
Then comes HITRUST. Most SaaS teams only learn about it after a big hospital or payer sends over a vendor assessment asking for certification.
If Azure & Google Cloud Are HITRUST Certified, Are We Automatically Compliant, Too?
The answer is no. Yes, Azure and Google Cloud maintain HITRUST certifications—but only over the infrastructure they control. Your IAM settings, your logging, your incident response plan—all customer responsibilities and all in scope during a HITRUST audit.
I had a telehealth company panic during an AWS outage. Their first reaction was, “Isn’t disaster recovery covered by our cloud provider?” It’s not.
How Should SaaS Companies Handle HIPAA & HITRUST Disaster Recovery Requirements In the Cloud?
This is one of the most overlooked compliance areas. You must prove you can restore availability—whether AWS is up or not. Multi-region replication, tested backup procedures, defined RTO/RPO—if you can’t show them, you’re not compliant.
Privacy concerns also surface frequently, especially from product teams.
How Can We Address Privacy & Security Concerns When Using Cloud-Based Storage Services?
My answer is consistent: encrypt everything, control who has the keys, track every access, and practice breach scenarios. HIPAA doesn’t care how modern your stack is—it cares how accountable you are.
The biggest lesson I try to leave SaaS teams with is this: the cloud doesn’t eliminate your compliance burden—it simply relocates it. HIPAA and HITRUST aren’t obstacles meant to slow innovation; they’re frameworks that force you to build trust through discipline. Access controls, logging, encryption, disaster recovery—these aren’t just audit requirements, they’re business continuity safeguards. In healthcare, trust isn’t a feature you can ship—it’s a promise you have to uphold. If you treat compliance as infrastructure rather than paperwork, your platform won’t just pass audits. It will earn the confidence of every provider, payer, and patient you hope to serve.
If you have more questions about HIPAA or HITRUST compliance in the cloud, please contact me.
Rob started with Linford & Co., LLP in 2011 and helps lead the HITRUST and ISO practices as well as performs SOC audits, NIST 800-171, and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 800 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.