The Most Common HIPAA Cloud Mistakes — and How to Avoid Them

[Updated August, 2025]

Introduction

If you’re a healthcare covered entity or business associate, you’re likely no
stranger to healthcare compliance and HIPAA cloud risk. By now, you should be
well-versed in understanding that the law mandates your organization protect
the confidentiality, integrity, and availability of all of the electronic personal health
information (ePHI) your organization creates, receives, maintains, or transmits.

But what exactly does that mean?

For ePHI, confidentiality means your organization has controls to ensure the
information isn’t exposed to those who shouldn’t access it. Integrity means
that ePHI cannot be modified. Availability means the ePHI is readily accessible
according to its authorized use.

Many organizations fall short of hitting the mark on the full scope of HIPAA
requirements, especially as they relate to HIPAA Security Rule risk analysis and
risk management practices.

In the first half of 2025, the U.S. Department of Health and Human Services’ Office
for Civil Rights (OCR) announced multiple enforcement actions highlighting
ongoing concerns about inadequate risk analysis among cloud-based healthcare
service providers. Each case involved a ransomware breach and underscored
the critical importance of comprehensive risk analysis under the HIPAA Security
Rule. These settlements demonstrate OCR’s continued focus on cloud vendors
and the growing expectation that they implement robust safeguards for
electronic protected health information (ePHI).

2025 OCR Enforcement Actions Involving Cloud Services

Elgon, Inc.
OCR found the cloud-based EHR/billing provider failed to conduct
an accurate and thorough risk analysis, contributing to a ransomware
breach affecting 31,248 individuals.
Settlement: $80,000, announced Jan 7, 2025
Source: https://www.hipaajournal.com/80k-hipaa-settlement-elgoninformation-
systems/

Virtual Private Network Solutions, LLC
OCR reference indicates a ransomware incident within the cloud
service provider’s infrastructure resulting in 6,400 ePHI
records being exposed. Deficient risk analysis was cited in
the settlement announcement.
Settlement: $90,000, announced January 8, 2025
Source: https://www.hipaajournal.com/ocr-settlement-ransomware-riskanalysis-
virtual-private-network-solutions/

Comstar, LLC 
A cloud-based ambulance billing and hosting service reported a
ransomware breach affecting 585,621 individuals. OCR cited
deficient risk analysis in the settlement.
Settlement: $75,000, issued May 30, 2025

These enforcement actions reinforce the message that all cloud-based vendors
handling ePHI—regardless of size—must implement and maintain a robust, HIPAA-compliant risk management program.

 Where Cloud-Aware Risk Analysis Breaks Down

Organizations are HIPAA compliant, not products.

While most organizations have HIPAA basics down by now, not all understand that
in terms of HIPAA compliance, the focus isn’t squarely on systems, products, or
security practices. It’s about being a HIPAA-compliant organization and ensuring
your organizational behaviors meet regulatory requirements regarding controls you
employ.

You should be asking:
Does this security feature satisfactorily contribute to our organization being
HIPAA compliant?

This is because HIPAA compliance goes beyond asset or cloud work-load security; it requires that you:

• Reasonably anticipate threats or hazards that could affect ePHI
• Protect ePHI against reasonably anticipated non-permitted uses or disclosures
• Ensure your entire workforce and business associates that create, receive,
  maintain, or transmit ePHI do the same

Working with compliant cloud vendors doesn’t make your organization compliant.
If your organization conducts routine cloud vendor assessments, you should have
insight (via reports, assessments, and attestations) about their third-party security
practices and associated cloud risk.

However, other providers that leverage cloud services and support healthcare
will also require due diligence and a business associate agreement. Each unique agreement should outline what the vendor and the provider need to manage as part of the
shared responsibility model for cloud security.

The proliferation of additional services and software-defined assets available and growing
in these environments also comes with a risk as you must validate that these services you
intend to use are supported for ePHI processing and covered in the Business Associate Agreement.

Even though your SLA or contract may highlight who does what in a shared responsibility
model, it’s important to understand that ultimately, as the healthcare covered entity, your
organization is responsible for ensuring you’re HIPAA compliant and you’ve protected your
ePHI. Managing HIPAA cloud risk requires attention to these responsibilities.

This also applies across the vendor-provider ecosystem. If a business associate works
with additional third parties that access ePHI, they must be compliant, too. And although
a business associate still has some liability, it doesn’t absolve you of your organization’s
HIPAA requirements-even if you have a third party fully manage all of your security and
privacy practices. You must do due diligence to ensure they take proper steps to protect
your ePHI.

You must conduct periodic HIPAA-compliant risk analysis

45 C.F.R. § 164.308(a)(8) requires periodic technical and non-technical evaluations based on
the Security standards and whenever your environment or organization changes. This isn’t a
one-time assessment and should be an ongoing activity.

A good rule of thumb is to conduct a risk analysis at least once a year, more frequently, if
you have changes. As a best practice, consider working your risk analysis processes into
your operations. Make it part of your organizational culture-the way you do business. This
can help ensure you’re always working toward continuous compliance goals.

Another benefit is your risk analysis can bridge the gap between your compliance and
security teams and your senior executives and board members. By analyzing your risk, you
can draw correlations between your compliance and security programs (effectiveness, gaps,
needs, etc.) and your organization’s overall goals and strategies. It’s an extra layer to support
operational resilience.

Every cloud-aware risk analysis should include nine core elements.
OCR has set forth guidance to help organizations with a proper risk analysis, but the technical specifications once again can be determined by each organization.

However, every risk analysis should include:

1. Analysis scope: All ePHI your organization creates, receives,
maintains, or transmits must be included in the risk analysis, and
must include all cloud systems.

2. Data collection: You must document ePHI data gathered using
these methods.

3. Identify and Document Potential Threats and Vulnerabilities:
Identify and document reasonably anticipated threats to
ePHI. This also includes uncovered shared-responsibility gaps.

4. Assess current security measures: Assess and document
security measures to safeguard ePHI.

5. Determine threat occurrence likelihood: Consider the likelihood
of potential risks to ePHI. These need to include the
threats specific to cloud infrastructure (e.g., lateral movement,
supply chain attacks)

6. Determine threat occurrence potential impact: Consider the
“criticality,” or impact, of potential risks to ePHI confidentiality,
integrity, and availability.

7. Determine risk level: For Example, analyze the values assigned to
the likelihood of threat occurrence and the resulting impact.

8. Finalize documentation: Document your risk analysis, but it
doesn’t have to be in a specific format.

9. Periodically review and update your risk assessment: Your risk
analysis process should be ongoing. Employ continuous
risk analysis to identify when you need those updates.

Ensure risk-based ePHI protection

45 C.F.R. § 164.308(a)(1)(ii)(A) says organizations must conduct accurate and
thorough assessments of potential risks and vulnerabilities to the confidentiality,
integrity, and availability of your ePHI.

Unfortunately, many organizations don’t have a great understanding of what
cloud “risk” means in terms of HIPAA mandates. In the simplest terms, a risk
considers the likelihood a threat actor might exploit a vulnerability or security
weakness, which harms your ePHI. Cloud-aware risk means this is extended and
put into context of what it means within a cloud platform.

For there to be a cloud
risk (or any risk), you need to assess these three components:

1. An asset, can be a HIPAA enclave, an ePHI workload, a software
defined network, or storage services.

2. A vulnerability, is a weakness, misconfiguration, or flaw in a cloud
environment that can be exploited by threat actors to
gain unauthorized access, compromise data integrity,
disrupt availability, or violate security policies.

3. Threat of exploit, is the potential for a malicious actor—or
unauthorized process—to take advantage of a known
or unknown vulnerability within a cloud-based system, service, or
configuration to gain access, disrupt operations,
or compromise data

You must have insight into all of your assets and understand all of your
reasonably anticipated threats so you can effectively assess your risk. As
healthcare’s cloud footprint grows, understanding cloud risk grows in complexity,
and organizations must consider shared responsibilities, ongoing management,
and explicit cloud expertise to assess threat exposure and risk escalations

All ePHI, and ePHI workflows need protection

164.306 general requirements say if you’re a healthcare covered entity or
business associate, you must ensure the confidentiality, integrity, and availability
of all ePHI you create, receive, maintain or transmit.

How can you do that effectively? Comprehensive visibility is key across on premises and cloud environments. That means you need to know where all your ePHI is, where it flows, and all related dependencies. For example, all your databases, file systems, email systems, and logs.

It’s also necessary to know which asset or service can access that ePHI, who can
access it, and how it’s used. To do so, you’ll need a comprehensive inventory of
your assets, including those that may have been forgotten or reside outside your
primary location or region. Often, organizations think ePHI resides in just one
system or database, but after evaluating dependencies, they discover there are
other assets or systems that need additional security controls.

Give specific attention to your mobile devices and those processes that remotely
connect to your ePHI systems, for example, employing identity and access
management (IAM), access controls, or configuration APIs.

Don’t forget about third-party risks.

Many organizations don’t have good insight into all the risks third-party
relationships introduce to ePHI, especially those in the cloud. Remember,
however, that the cloud is inherently built on third-party services, so they must be
included in your security assessments and evaluations.

If a third party accesses your ePHI, then it falls under HIPAA scope, and you need
a business associate agreement. A few things to keep your eyes on in your cloud environment:

• Data connections to your ePHI workloads
• Marketplace products and services
• Libraries and code dependencies
• DevOps services within and out of the cloud

Since your cloud vendor won’t likely give you direct visibility into its processes
and infrastructure, be sure to review third-party attestations. If you face an
audit or investigation, you want to confidently say that you’ve looked at those
attestations and ensured the vendor did what it said it would do to protect your
ePHI.

It’s also good practice to keep a list of risk-approved alternative vendors. If you
find your existing third-party vendor is not living up to your compliance and security agreements and won’t take the necessary steps to mitigate or remediate those risks, you’ll want to be prepared to move to another vendor who will.

Key Takeaways

What’s the biggest risk of using the cloud for ePHI?

Misconfigurations—especially in storage, access control, and encryption—are
the most common cause of cloud-based HIPAA violations and breaches.
OCR enforcement has heavily penalized gaps in risk analysis and access
management.

While HIPAA compliance mandates that your organization meet its standards
for risk analysis and risk management practices-on-site, in the cloud, or in a
hybrid environment-it’s generally just good business practice.

A cloud-aware risk analysis can help your organization better anticipate and
identify security risks so you can stay ahead of attackers and be well-poised to
ace an OCR audit or respond to an OCR investigation.