AWS vs GCP vs Azure: Which is Best for HIPAA?
Comparing AWS, GCP, and Azure for HIPAA compliance: BAA availability, eligible services, real costs, and which cloud platform fits your company size.
Choosing the wrong cloud provider for a HIPAA-regulated workload doesn't just create compliance risk — it creates remediation cost. Migrating a production healthcare application from one cloud to another after discovering your current provider's HIPAA-eligible service list doesn't cover what you need is an expensive lesson.
This guide gives you the information to make the right call before you build: which services are covered under each provider's Business Associate Agreement, how the compliance posture and tooling compare, what the real cost differences look like for healthcare workloads, and which provider makes the most sense by company size and use case.
The BAA Is the Starting Point, Not the Finish Line
Every cloud provider HIPAA discussion starts with the Business Associate Agreement. A BAA is a legally required contract between a covered entity (or another business associate) and a cloud provider that will store, process, or transmit Protected Health Information (PHI).
The critical point: A signed BAA does not make your application HIPAA compliant. It makes your cloud provider a compliant business associate. Your application still needs to be architected, configured, and operated in a way that satisfies the HIPAA Security Rule's administrative, physical, and technical safeguard requirements.
What the BAA does:
- Establishes the provider's responsibilities for safeguarding PHI
- Defines the services covered under the agreement (not all services are covered — more on this below)
- Creates contractual accountability for breach notification
- Is legally required before PHI can be stored or processed on the platform
What the BAA does not do:
- Make your S3 buckets private (you still have to configure that)
- Enable encryption on your RDS instances (you still have to configure that)
- Implement access logging, audit trails, or least-privilege IAM (you still have to configure that)
- Satisfy the HIPAA Security Rule's 169 implementation specifications
With that established, here is how the three major providers compare.
BAA Availability
All three major providers offer BAAs for enterprise and business customers. The process differs.
| Provider | BAA Availability | How to Get It |
|---|---|---|
| AWS | Available to all customers | Self-service via AWS Artifact in the console |
| Google Cloud | Available to all customers | Self-service via GCP console |
| Azure | Available to all customers | Self-service via Microsoft Service Trust Portal |
AWS: The BAA in AWS Artifact covers a defined list of HIPAA-eligible services. You agree to use PHI only within those covered services. The list is updated periodically and currently includes 170+ services.
Google Cloud: GCP's BAA (called a Cloud Data Processing Addendum for healthcare contexts) covers a defined service list as well. Google has been expanding HIPAA coverage aggressively since 2021, and the current list is comparable to AWS.
Azure: Microsoft's BAA is embedded in their Online Services Terms. Azure has a long history in healthcare enterprise — many EHR vendors and health systems run on Azure — and the HIPAA coverage is comprehensive.
Verdict on BAA access: All three are equivalent for straightforward healthcare SaaS. The process is easier than it was five years ago. None require negotiation for standard terms.
HIPAA-Eligible Services: Where the Differences Matter
The covered services list is where real differences emerge. Not all cloud services at any provider are covered under the BAA, and if you're using a non-covered service to process or store PHI — even inadvertently — you have a compliance gap.
AWS HIPAA-Eligible Services (Key Categories)
AWS covers 170+ services under their BAA. Key services for healthcare applications:
Compute and containers:
- EC2, ECS, EKS, Lambda, Fargate
- Elastic Beanstalk, App Runner
Storage:
- S3, S3 Glacier, EBS, EFS, FSx
- Storage Gateway
Databases:
- RDS (all engines), Aurora, DynamoDB, Redshift
- ElastiCache (Redis and Memcached), DocumentDB, Neptune
Networking:
- VPC, Route 53, CloudFront, API Gateway
- Direct Connect, VPN, Load Balancers
Security and monitoring:
- CloudTrail, CloudWatch, GuardDuty, Security Hub
- KMS, Secrets Manager, IAM, WAF, Shield
Analytics:
- Athena, EMR, Kinesis, SageMaker, Comprehend Medical
Application services:
- SQS, SNS, SES, Cognito, AppSync
Notable gaps (not covered under AWS BAA):
- Amazon Connect (contact center) — significant for telehealth
- Some new AI/ML services until they're added to the covered list
- AWS Amplify public hosting
GCP HIPAA-Eligible Services (Key Categories)
Google has expanded significantly. Key covered services:
Compute and containers:
- Compute Engine, GKE, Cloud Functions, Cloud Run
- App Engine
Storage:
- Cloud Storage, Persistent Disk, Filestore
Databases:
- Cloud SQL, Cloud Spanner, Firestore, Bigtable
- Memorystore (Redis), AlloyDB
Networking:
- VPC, Cloud Load Balancing, Cloud CDN, Cloud DNS
- Cloud Interconnect, Cloud VPN
Security and monitoring:
- Cloud Audit Logs, Cloud Monitoring, Cloud Logging
- Cloud KMS, Secret Manager, IAM, Cloud Armor
Analytics and AI:
- BigQuery, Dataflow, Pub/Sub
- Healthcare API (FHIR, HL7v2, DICOM) — purpose-built
- Vertex AI (select models), Healthcare Natural Language API
Notable gaps (not covered under GCP BAA):
- Google Workspace services are covered under a separate BAA
- Some experimental AI services
Azure HIPAA-Eligible Services (Key Categories)
Azure has deep enterprise healthcare coverage, particularly strong for EHR integrations:
Compute and containers:
- Virtual Machines, AKS, Azure Functions, Container Instances
- App Service, Azure Batch
Storage:
- Blob Storage, File Storage, Queue Storage, Disk Storage
- Data Lake Storage
Databases:
- Azure SQL Database, Cosmos DB, Azure Database for PostgreSQL/MySQL
- Azure Cache for Redis, Synapse Analytics
Networking:
- Virtual Network, Load Balancer, Application Gateway, Front Door
- ExpressRoute, VPN Gateway, Azure DNS, CDN
Security and monitoring:
- Azure Monitor, Log Analytics, Microsoft Defender for Cloud
- Key Vault, Azure Active Directory, Sentinel, WAF
Healthcare-specific:
- Azure Health Data Services (FHIR, DICOM, MedTech)
- Azure API for FHIR (dedicated healthcare service)
- Azure IoT Hub (covered — relevant for medical device integrations)
Notable gaps:
- Azure OpenAI Service — covered under separate enterprise agreement terms
- Some preview services
Covered Services Verdict
| Category | AWS | GCP | Azure |
|---|---|---|---|
| Core compute/storage/DB | Comprehensive | Comprehensive | Comprehensive |
| Healthcare-specific APIs | Limited | Strong (Healthcare API) | Strong (Health Data Services) |
| AI/ML on PHI | Growing | Growing | Growing |
| IoT / medical devices | Partial | Partial | Strong |
| Enterprise identity | Serviceable | Serviceable | Strongest (Azure AD) |
| Total covered services | 170+ | 130+ | 130+ |
Compliance Tooling Comparison
A HIPAA-compliant cloud architecture requires more than eligible services — it requires the right configuration, monitoring, and audit trail capabilities. Here's how each provider's native tooling compares.
Audit Logging
AWS: CloudTrail provides comprehensive API-level audit logging across services. CloudWatch Logs handles application-level logging. CloudTrail Insights detects unusual API activity. Audit Manager provides automated evidence collection for compliance frameworks including HIPAA.
GCP: Cloud Audit Logs (Admin Activity, Data Access, System Event, Policy Denied) provide similar coverage. Google's audit logging integrates directly with BigQuery for retention and analysis. Chronicle SIEM is available for advanced threat detection.
Azure: Azure Monitor and Log Analytics provide comprehensive logging. Microsoft Defender for Cloud includes HIPAA regulatory compliance dashboard with real-time assessment against HIPAA controls. Sentinel provides SIEM capabilities with HIPAA-specific detection rules.
Verdict: Azure's built-in HIPAA compliance dashboard is a meaningful advantage for teams that need ongoing compliance posture visibility. AWS and GCP require more configuration to achieve equivalent visibility.
Encryption
All three providers support AES-256 encryption at rest and TLS 1.2+ in transit across covered services. Key management differs:
AWS KMS: Per-key per-month pricing ($1/key/month), per-API-call pricing ($0.03 per 10,000 requests). Customer-managed keys (CMK) required for full compliance control. AWS CloudHSM available for dedicated hardware.
GCP Cloud KMS: Similar pricing model. Customer-managed encryption keys (CMEK) widely supported. Cloud HSM available.
Azure Key Vault: Per-key and per-transaction pricing comparable to AWS. Dedicated HSM available. Azure integrates more tightly with Active Directory for key access policies.
Verdict: Equivalent capabilities across providers. Azure's Active Directory integration is an advantage for enterprises with existing Microsoft identity infrastructure.
Access Control
AWS IAM: Highly flexible, industry-standard. Role-based access, attribute-based access control, Service Control Policies for multi-account governance. AWS Organizations enables policy enforcement across accounts.
GCP IAM: Similar flexibility. Organization policies for governance. Workload Identity Federation for service-to-service authentication.
Azure RBAC + Azure AD: Azure Active Directory is the strongest enterprise identity solution in cloud. Conditional Access, Privileged Identity Management (PIM), and just-in-time access are native capabilities that AWS and GCP require third-party tools to match.
Verdict: Azure wins for enterprises with existing Active Directory or complex identity requirements. AWS IAM is the most commonly configured in practice for healthcare SaaS.
Cost Comparison for HIPAA Workloads
HIPAA workloads have specific cost drivers: encryption key management, comprehensive logging (high storage volume), redundancy requirements, and security tooling. Here's how costs compare for a representative mid-size healthcare SaaS workload.
Representative Workload
- 3 application servers (8 vCPU, 32GB RAM)
- Primary database (8 vCPU, 32GB RAM, 500GB storage)
- 5TB data storage (PHI records, documents)
- Comprehensive logging (90-day hot retention, 7-year cold archival)
- Load balancer, CDN, WAF
- Key management (100 keys, moderate API volume)
- Backup (daily, 30-day retention)
Monthly Cost Estimates (2026)
| Component | AWS | GCP | Azure |
|---|---|---|---|
| Compute (3 × m6i.2xlarge equiv.) | ~$450 | ~$430 | ~$470 |
| Database (db.r6g.2xlarge equiv.) | ~$520 | ~$490 | ~$510 |
| Storage (5TB + backup) | ~$160 | ~$145 | ~$155 |
| Logging storage (90-day hot) | ~$180 | ~$165 | ~$170 |
| Long-term log archival (7yr cold) | ~$25 | ~$20 | ~$22 |
| Load balancer + CDN + WAF | ~$180 | ~$165 | ~$190 |
| KMS / Key Vault | ~$50 | ~$45 | ~$50 |
| Security tooling (GuardDuty equiv.) | ~$120 | ~$110 | ~$130 |
| Monthly total | ~$1,685 | ~$1,570 | ~$1,697 |
| Annual total | ~$20,220 | ~$18,840 | ~$20,364 |
Note: These are estimates based on list pricing. Actual costs depend on data transfer, reserved/committed use discounts, and actual usage patterns. All three providers offer significant discounts for 1–3 year commitments (20–40% savings).
Cost verdict: GCP is modestly cheaper at list price, primarily driven by storage and compute pricing. AWS and Azure are comparable. For most healthcare SaaS companies, the cost differences are less significant than operational factors — team expertise, managed services availability, and ecosystem fit.
Where costs diverge significantly:
- Heavy ML/AI workloads on PHI: GCP (Vertex AI, Healthcare NLP) tends to be cost-competitive
- Hybrid environments with on-premises healthcare systems: Azure (ExpressRoute + Active Directory) often wins on operational cost
- Pure AWS shops adding healthcare: staying on AWS avoids migration and retraining costs
Recommendation by Company Size and Use Case
Early-Stage Healthcare SaaS (Under 20 Employees)
Recommendation: AWS
Rationale: AWS has the largest managed services ecosystem, the most compliance tooling documentation, and the broadest pool of engineers with AWS experience. For a small team, the operational overhead of running a compliant cloud environment is lowest on AWS due to managed service coverage. Startups also benefit from AWS Activate credits, which can significantly offset early infrastructure costs.
If you're building FHIR-based interoperability from day one: consider GCP's Healthcare API, which is purpose-built and significantly simpler than building FHIR endpoints on raw AWS infrastructure.
Services to prioritize from day one:
- Enable CloudTrail in all regions immediately
- Enable GuardDuty for threat detection
- Use RDS with encryption enabled (not optional)
- Implement S3 bucket policies blocking public access
- Enable Macie for PHI detection in S3
Growth-Stage Healthcare SaaS (20–200 Employees)
Recommendation: AWS for most; GCP if healthcare data interoperability is core
At this stage, your choice is increasingly driven by what your EHR partners and health system customers use. Most large EHR vendors (Epic, Cerner/Oracle Health, athenahealth) have deepest integrations with either Azure (Epic prefers Azure) or AWS. Ask your target enterprise customers which cloud they prefer for data exchange before finalizing your stack.
Azure consideration: If you're targeting large health systems that run Epic, Azure is the preferred cloud for Epic integrations. The combination of Azure Health Data Services + FHIR API + Active Directory is a meaningful advantage when your customer's IT team is already running Azure AD.
GCP consideration: If your product involves significant data analytics, ML models on clinical data, or population health analytics, GCP's BigQuery + Vertex AI + Healthcare NLP combination is more mature and cost-effective than equivalent AWS or Azure approaches.
Enterprise Healthcare Technology (200+ Employees)
Recommendation: Multi-cloud strategy based on customer requirements
At enterprise scale, customer requirements drive cloud selection more than any internal preference. Large health systems often mandate specific clouds. Multi-cloud capability — running on AWS, Azure, or GCP based on customer environment — is increasingly a competitive differentiator in enterprise healthcare sales.
For your core platform: choose based on where your engineering team has deepest expertise and where your primary customers are concentrated.
For compliance tooling: Azure Defender for Cloud with its built-in HIPAA regulatory compliance dashboard is worth evaluating even if Azure isn't your primary platform, as it provides the clearest ongoing compliance posture visibility.
Common HIPAA Cloud Misconfigurations (All Providers)
The BAA is in place. The architecture is on HIPAA-eligible services. These are still the most common compliance failures:
1. PHI in non-covered services. A developer uses a logging service or analytics tool not on the HIPAA-covered list, and it captures PHI from request parameters or payload data. Audit your entire data flow — not just storage services.
2. Unencrypted S3 buckets / Blob Storage / Cloud Storage. Encryption at rest must be enabled explicitly on storage services. New accounts default to encryption on some providers, but older accounts and services may not.
3. Incomplete audit logging. CloudTrail enabled but not collecting data events (S3 object-level access). This leaves PHI access unlogged.
4. No log retention enforcement. HIPAA requires audit log retention for 6 years. Few teams configure explicit retention policies from day one.
5. Overprivileged IAM roles. Developer convenience roles with wildcard permissions on production resources. PHI access should follow least privilege — specific roles for specific functions.
6. Backup encryption inconsistency. Prod database is encrypted; the automated backup retention is not, or backup snapshots are stored in a different account without equivalent controls.
7. Disaster recovery environment not covered. DR infrastructure in a second region or account created ad-hoc without the same compliance configurations as production.
Getting Your HIPAA Cloud Architecture Right
Whether you're choosing a cloud provider for the first time or evaluating a migration, the architectural decisions you make in the first 90 days are the most expensive to change later.
A properly configured HIPAA cloud environment on any of the three providers includes: BAA executed, covered services only for PHI workloads, encryption enforced across storage and transit, comprehensive audit logging with retention policies, least-privilege IAM, threat detection enabled, and backup with equivalent security controls.
The managed cloud service details — including HIPAA-compliant architecture templates for AWS, GCP, and Azure — are covered in our Managed Cloud service. If you're evaluating providers and want a technical assessment of your current environment or architecture, book a free infrastructure review and we'll evaluate your specific workload against HIPAA requirements and provide a recommendation based on your team, customers, and technical stack.
Put this into practice
Get a free assessment of your current security and infrastructure posture, or check your email security in 30 seconds.
Related Articles
AWS vs Azure vs GCP: Which Cloud is Right for Your Business?
An unbiased comparison of the major cloud providers, focusing on security features, compliance support, and total cost of ownership for SMBs.
HIPAA Compliance Checklist for SaaS Companies
Does your SaaS product touch protected health information? This checklist covers BAAs, technical safeguards, cloud provider requirements, and what violations actually cost.
How Long Does SOC 2 Really Take? A Realistic Timeline
The honest SOC 2 timeline: Type I takes 6–8 weeks, Type II takes 6–12 months. Here's a week-by-week breakdown, what causes delays, and how to accelerate.
Get articles like this in your inbox
Practical security, infrastructure, and DevOps insights for teams in regulated industries. Published weekly.