HIPAA software category hub

HIPAA-Compliant Cloud and Database Services

Cloud and database compliance depends heavily on the specific services used and how they are configured. Verify eligible services, BAA scope, encryption, identity controls, logging, backups, regions, support access, and downstream subprocessors.

Quick answer

Review cloud, database, and infrastructure providers for HIPAA eligible services, BAA scope, SOC 2 evidence, and implementation risk.

Last updated: 2026-04-30

aws hipaa eligible services listaws hipaa compliancehipaa compliant database

How to choose cloud and database tools

Best for

  • Healthcare infrastructure where the exact cloud services are HIPAA eligible and covered by a BAA.
  • Application backends, databases, storage, and analytics pipelines designed with encryption and access control from the start.
  • Teams that can govern identity, logging, backups, regions, support access, and downstream subprocessors.

BAA requirements

  • Confirm the BAA covers the exact services, regions, support channels, and account structure used for PHI.
  • Check the vendor's current HIPAA eligible services list or covered-service documentation before implementation.
  • Document customer responsibilities for encryption, identity, network controls, logging, backups, and incident response.

PHI risk areas

  • Non-eligible services, logs, object names, database snapshots, backups, queues, analytics events, and data lake exports.
  • Support tickets, debugging traces, monitoring dashboards, third-party marketplace products, and cross-region replication.
  • Application-layer mistakes where the cloud provider is eligible but the customer's SaaS architecture is not governed.

Recommended review order

Start with vendors that show clearer BAA signals

AWSAWS BAA required | Public evidenceGoogle WorkspaceGoogle Workspace BAA | Public evidenceSalesforceCovered services only | Public evidenceAirtableEnterprise Scale only | Public evidence

Treat these as higher-risk until verified

No listed vendor has an obvious public "not supported" or "unable to confirm" signal in this category, but each workflow still needs BAA, PHI, configuration, and integration review before use.

Vendor comparison table

VendorHIPAA signalBAA signalSOC 2 signalBest for
AWSConditionalAWS BAA requiredPublic evidenceBAA-scoped workflow review
Google WorkspaceConditionalGoogle Workspace BAAPublic evidenceBAA-scoped workflow review
SalesforceConditionalCovered services onlyPublic evidenceBAA-scoped workflow review
AirtableConditionalEnterprise Scale onlyPublic evidenceVendor-specific workflow review

Avoid if

  • The service used is not listed as eligible or covered.
  • Backups, logs, support tickets, or exports contain PHI outside governed systems.
  • Teams cannot enforce encryption, access control, and audit log requirements.

Methodology

  • Separate vendor eligibility from customer implementation responsibility.
  • Review exact services, regions, support plans, and logging paths.
  • Map where PHI is stored, processed, backed up, and exported.

Verification checklist

  • Is each storage, compute, database, analytics, logging, and support service listed as eligible or covered?
  • Are encryption, IAM, MFA, audit logging, retention, backup, and deletion controls enabled and documented?
  • Can PHI be kept out of logs, telemetry, object names, support cases, and non-production environments?
  • Have downstream vendors, regions, subprocessors, and disaster-recovery paths been reviewed?

Related guides

Can You Store PHI in SaaS Tools?

You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support that ...

How to Evaluate a HIPAA-Compliant App Builder

A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, integrat...

HIPAA Firewall Requirements for SaaS Teams

HIPAA does not name one universal firewall product that makes a system compliant. Teams should evaluate network safeguards, access controls, logging, ...

FAQ

Does a HIPAA-eligible cloud service make an app HIPAA compliant?

No. A HIPAA-eligible cloud service and BAA are only part of the workflow. The customer still needs correct architecture, access controls, encryption, logging, backups, policies, and review of every system that touches PHI.

What should be checked before storing PHI in a database?

Check BAA scope, eligible services, encryption, identity controls, audit logs, backups, support access, non-production data, exports, retention, deletion, and whether PHI appears in logs or analytics.

What should buyers verify for cloud and database tools?

Verify BAA availability, covered services, product plan, data flows, admin controls, integrations, support access, retention, audit logs, and whether PHI appears in fields, messages, files, or notifications.

Does SOC 2 prove HIPAA readiness?

No. SOC 2 can provide useful security evidence, but HIPAA-regulated workflows also require BAA scope, PHI handling review, configuration, policies, and qualified legal or compliance guidance.