[Urist-Green]

Not a lawyer, but my understanding is the main issue with healthcare services on the cloud is auditing physical access to the machines. If any questions come up then the service provider "should" be able to tell a court exactly where a healthcare company's data is and what technicians had access at different times. Microsoft, Google, etc are still totally happy to sell that service, but there is a separate legal agreement that has to signed to say "we care about healthcare privacy".

[kstrauser]

Specifically, you have to get them to sign a HIPAA Business Associate Agreement (BAA). The good news is that Amazon makes this an automated process in their compliance portal, so you can knock that out in 5 minutes and then go on with the rest of the planning.

[haldujai]

Also worth noting that not every resource and instance type is covered by a BAA so there’s a bit more to it than just signing an agreement and doing whatever you want.

The responsibility remains with the user rather than the cloud provider to ensure compliance but they will do their part if you set things up correctly.