HIPAA Requirements for Data Storage and Cloud Providers Handling ePHI

Storing electronic protected health information (ePHI) in the cloud does not change your obligations under the HIPAA Security Rule. If a cloud service provider (CSP) creates, receives, maintains, or transmits ePHI on your behalf, it must meet specific safeguards and breach notification duties. This guide shows how to operationalize those requirements across contracts, encryption, access control, audit logs, risk management, and incident response.

Cloud Service Providers as Business Associates

When a CSP is a Business Associate

A CSP is a Business Associate when it handles ePHI for a Covered Entity or another Business Associate—even if the data is encrypted and the provider claims “no view.” Simply maintaining ePHI makes the CSP subject to HIPAA obligations.

Business Associate Agreement essentials

Execute a Business Associate Agreement before placing ePHI in any cloud. The BAA should define permitted uses and disclosures, require safeguards aligned to the HIPAA Security Rule, mandate prompt reporting of incidents and breaches, and address data return or destruction at termination. It must also require Subcontractor Compliance—your CSP must flow down equivalent obligations to any subcontractors.

Shared responsibility and operational alignment

• Map the shared responsibility model so you and the CSP know who manages identity, encryption, logging, backups, and disaster recovery.
• Designate security contacts and escalation paths, including how to open and track incidents with the provider.
• Require evidence (e.g., control mappings, attestations) that the CSP operates controls relevant to your regulated workloads.

Encryption Requirements for ePHI

Apply NIST Encryption Standards

Encryption is an addressable safeguard under HIPAA, but in cloud environments it is effectively expected. Use NIST Encryption Standards and FIPS 140-2 or -3 validated cryptographic modules where feasible. Common choices include AES-256-GCM for data at rest and TLS 1.2+ (ideally TLS 1.3) for data in transit.

Data at rest

• Encrypt databases, object and block storage, backups, snapshots, search indexes, queues, and temporary files.
• Use envelope encryption with customer-managed keys stored in hardware-backed HSMs; rotate keys on a defined schedule and after suspected compromise.
• Separate duties so no single administrator can access both ciphertext and keys; monitor all key usage.

Data in transit

• Enforce HTTPS/TLS end to end; disable legacy ciphers; prefer mutual TLS for service-to-service traffic.
• Use VPNs or private connectivity for administrative access; manage certificates and rotate them automatically.

Safe harbor considerations

If ePHI is encrypted using strong, industry-recognized methods and keys remain uncompromised, a loss of ciphertext may not constitute a breach requiring Data Breach Notification. Document your algorithms, key management, and validation decisions.

Access Controls for ePHI

Identity and Role-Based Access Control

• Assign unique user IDs and enforce Role-Based Access Control with least privilege; review entitlements regularly.
• Use SSO with MFA for administrators and users; prefer short-lived, just-in-time privileged access for high-risk tasks.
• Define emergency “break-glass” access with monitoring and post-event review.

Session and network protections

• Enable automatic logoff and session timeouts; restrict access by network segment and apply micro-segmentation.
• Manage service accounts via secrets managers; rotate credentials and eliminate hard-coded secrets.

Lifecycle and oversight

• Provision and deprovision accounts promptly; perform periodic access recertifications.
• Document access approval workflows and maintain evidence for audits.

Audit Controls Implementation

What to capture

• Collect audit logs from the cloud control plane, operating systems, databases, applications, and network layers.
• Record who accessed what ePHI, when, from where, the action taken, and success/failure; include correlation IDs.
• Prevent sensitive data from appearing in logs by redacting and validating log content.

Protecting and retaining logs

• Centralize logs in a SIEM; ensure clock synchronization and tamper-evident, write-once storage.
• Define retention to meet business, legal, and investigative needs; many organizations keep critical security logs for up to six years to align with HIPAA documentation retention expectations.

Review and response

• Create alerting for anomalous access, privilege changes, denied attempts, and bulk data movements.
• Perform regular log reviews, document findings, and track remediation to closure.

Risk Analysis and Management

Conducting the risk analysis

• Inventory systems and data flows that store or transmit ePHI; identify threats, vulnerabilities, and existing controls.
• Estimate likelihood and impact to produce risk ratings; record risks in a register with owners and due dates.

Risk treatment and monitoring

• Plan and implement administrative, physical, and technical safeguards; verify effectiveness through testing.
• Run continuous vulnerability management, configuration baselining, and periodic penetration testing.
• Assess CSP and subcontractor risk; require Subcontractor Compliance and documented remediation of findings.

Frequency

Perform a comprehensive risk analysis at least annually and whenever there are material changes (new systems, major migrations, integrations), as well as after significant incidents. Maintain an ongoing risk management process—not a one-time project.

Service Level Agreements with CSPs

Security and privacy commitments

• Align the SLA with your Business Associate Agreement to avoid gaps; specify encryption, access, and logging expectations.
• Require disclosure and approval of subcontractors, including their compliance obligations and control standards.

Operational guarantees

• Define availability targets, support response times, maintenance windows, and disaster recovery objectives (RPO/RTO).
• Specify backup frequency, restore times, data location, and data lifecycle (retention, return, and verified deletion).

Incident cooperation and evidence

• Set timelines for security incident notification and Data Breach Notification support, including access to audit logs, forensics, and knowledgeable personnel.
• Include right-to-audit terms, change-management notice, vulnerability remediation SLAs, and key management options (e.g., customer-managed keys).

Exit and portability

• Require data export in usable formats, termination assistance, and confirmation of data destruction with evidence.
• Address indemnities, service credits, and escalation paths for unresolved issues.

Breach Notification Procedures

Immediate actions

• Detect, triage, and contain the incident; preserve evidence and engage your CSP per the BAA and SLA.
• Collect relevant audit logs, access records, and system snapshots; rotate credentials and affected keys as needed.

HIPAA breach assessment

• Apply the four-factor risk assessment: (1) nature/extent of PHI, (2) unauthorized person, (3) whether the PHI was actually acquired/viewed, (4) mitigation success.
• Document your analysis and determination, including whether encryption provides safe harbor.

Notifications and timelines

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured ePHI.
• If 500 or more individuals are affected in a state or jurisdiction, notify prominent media and the federal authorities within the same 60-day window; for fewer than 500, report to authorities within 60 days after the end of the calendar year.
• Ensure Business Associate and Subcontractor Compliance obligations cascade—subcontractors notify the CSP, which notifies you.

Content of notices and remediation

• Include what happened, types of information involved, steps individuals should take, your mitigation actions, and contact information.
• Perform lessons learned, close control gaps, and update playbooks, training, and agreements.

Conclusion

By treating your CSP as a true Business Associate, enforcing NIST-aligned encryption, tightening access controls, building reliable audit logs, and running a living risk management program, you can store ePHI in the cloud confidently. Strong SLAs and tested breach procedures complete a defensible, HIPAA-aligned posture.

FAQs.

What is a Business Associate Agreement under HIPAA?

A Business Associate Agreement is a contract that defines how a vendor that creates, receives, maintains, or transmits ePHI will safeguard it, report incidents, support breach response, and return or destroy data at termination. It also requires the vendor to ensure Subcontractor Compliance by flowing down equivalent obligations to any downstream providers.

How should ePHI be encrypted in cloud storage?

Encrypt ePHI at rest with AES-256 (or equivalent) using FIPS 140-2/140-3 validated modules, and encrypt data in transit with TLS 1.2+ (preferably TLS 1.3). Use customer-managed keys in an HSM, rotate keys regularly, separate duties so no single admin controls both data and keys, and monitor all key usage in audit logs to meet NIST Encryption Standards.

What access controls are required for cloud providers handling ePHI?

Implement unique user IDs, Role-Based Access Control with least privilege, and multi-factor authentication. Enforce session timeouts and automatic logoff, manage secrets securely, restrict network access, and perform periodic access reviews. Establish emergency access procedures and monitor all privileged activity via audit logs to satisfy the HIPAA Security Rule’s access control requirements.

How often must risk analysis be conducted for ePHI storage?

Perform a comprehensive risk analysis at least annually and whenever material changes occur—such as new systems, major migrations, or significant incidents. Maintain continuous risk management with vulnerability scanning, configuration monitoring, and reassessments after control changes or findings.