HIPAA software category hub

HIPAA-Compliant Cloud, AWS, and Database Services

Cloud and database compliance depends on the exact services, agreement, and configuration. AWS and Amazon RDS may support HIPAA-regulated workloads only when the BAA, HIPAA-eligible service scope, encryption, identity controls, logging, backups, regions, and downstream systems are verified.

Quick answer

Review cloud, AWS, database, and infrastructure providers for HIPAA eligible services, BAA scope, SOC 2 evidence, and implementation risk.

Last updated: 2026-05-26

hipaa compliant databasehipaa compliant cloud storagecloud based storage hipaa compliantamazon rds hipaaamazon rds hipaa compliantamazon rds hipaa compliancerds hipaa compliantrds hipaa complianceis amazon rds hipaa compliantamazon aurora hipaaaws hipaa eligible services listaws hipaa eligible servicesaws hipaa compliant servicesaws hipaa compliance

How to choose cloud and database tools

Best for

  • Healthcare infrastructure where the exact cloud services are HIPAA eligible and covered by a BAA.
  • Application backends, Amazon RDS-style databases, storage, and analytics pipelines designed with encryption and access control from the start.
  • Teams that can govern identity, logging, backups, regions, support access, and downstream subprocessors.

BAA requirements

  • Confirm the BAA covers the exact services, regions, support channels, and account structure used for PHI.
  • Check the vendor's current HIPAA eligible services list or covered-service documentation before implementation, especially for databases, logs, backups, and analytics.
  • Document customer responsibilities for encryption, identity, network controls, logging, backups, and incident response.

PHI risk areas

  • Non-eligible services, SQL logs, slow query logs, object names, database snapshots, read replicas, backups, queues, analytics events, and data lake exports.
  • Support tickets, debugging traces, monitoring dashboards, third-party marketplace products, and cross-region replication.
  • Non-production databases, copied seed data, BI exports, and application-layer mistakes where the cloud provider is eligible but the customer's SaaS architecture is not governed.

Recommended review order

Start with vendors that show clearer BAA signals

AWSAWS BAA required | Public evidenceAmazon RDSAWS BAA required | AWS public evidenceGoogle WorkspaceGoogle Workspace BAA | Public evidenceSalesforceCovered services only | Public evidenceAirtableEnterprise Scale only | Public evidence

Treat these as higher-risk until verified

No listed vendor has an obvious public "not supported" or "unable to confirm" signal in this category, but each workflow still needs BAA, PHI, configuration, and integration review before use.

Vendor comparison table

VendorHIPAA signalBAA signalSOC 2 signalBest for
AWSConditionalAWS BAA requiredPublic evidenceBAA-scoped workflow review
Amazon RDSConditionalAWS BAA requiredAWS public evidenceBAA-scoped workflow review
Google WorkspaceConditionalGoogle Workspace BAAPublic evidenceBAA-scoped workflow review
SalesforceConditionalCovered services onlyPublic evidenceBAA-scoped workflow review
AirtableConditionalEnterprise Scale onlyPublic evidenceVendor-specific workflow review

Avoid if

  • The service used is not listed as eligible or covered.
  • Backups, logs, snapshots, read replicas, support tickets, or exports contain PHI outside governed systems.
  • Teams cannot enforce encryption, access control, and audit log requirements.

Methodology

  • Separate vendor eligibility from customer implementation responsibility.
  • Review exact services, database engines, regions, support plans, and logging paths.
  • Map where PHI is stored, queried, logged, replicated, backed up, restored, and exported.

Verification checklist

  • Is each storage, compute, database, analytics, logging, and support service listed as eligible or covered?
  • For Amazon RDS or another managed database, are the engine, region, encryption, snapshots, replicas, logs, exports, and backup lifecycle covered?
  • Are encryption, IAM, MFA, audit logging, retention, backup, key management, and deletion controls enabled and documented?
  • Can PHI be kept out of logs, telemetry, object names, support cases, and non-production environments?
  • Have downstream vendors, regions, subprocessors, and disaster-recovery paths been reviewed?

Related guides

What Is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a HIPAA contract between a covered entity and a vendor that may create, receive, maintain, or transmit PHI. A BAA do...

Can You Store PHI in SaaS Tools?

You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support that ...

HIPAA-Compliant Database Requirements for SaaS Teams

A database is not HIPAA compliant by itself. A HIPAA-ready database workflow requires a covered vendor or cloud service, appropriate BAA scope, encryp...

How to Evaluate a HIPAA-Compliant App Builder

A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, integrat...

SOC 2 vs HIPAA for SaaS Vendor Review

SOC 2 and HIPAA answer different questions. SOC 2 is independent security-control evidence for a service organization, while HIPAA governs protected h...

FAQ

Is Amazon RDS HIPAA compliant?

Amazon RDS is listed by AWS as HIPAA eligible, but it is not automatically compliant for every application. Verify the AWS BAA, current RDS engine scope, region, encryption, IAM, logging, snapshots, backups, and every connected service before storing PHI.

What is a HIPAA-compliant database?

A HIPAA-compliant database is not just a database product. It is a governed workflow with an appropriate vendor agreement, eligible service scope, encryption, identity controls, audit logs, backup controls, retention, deletion, monitoring, and policies for how PHI is accessed and exported.

Does a HIPAA-eligible cloud service make an app HIPAA compliant?

No. A HIPAA-eligible cloud service and BAA are only part of the workflow. The customer still needs correct architecture, access controls, encryption, logging, backups, policies, and review of every system that touches PHI.

What should be checked before storing PHI in a database?

Check BAA scope, eligible services, encryption, identity controls, audit logs, backups, support access, non-production data, exports, retention, deletion, and whether PHI appears in logs or analytics.

What should buyers verify for cloud and database tools?

Verify BAA availability, covered services, product plan, data flows, admin controls, integrations, support access, retention, audit logs, and whether PHI appears in fields, messages, files, or notifications.

Does SOC 2 prove HIPAA readiness?

No. SOC 2 can provide useful security evidence, but HIPAA-regulated workflows also require BAA scope, PHI handling review, configuration, policies, and qualified legal or compliance guidance.