HIPAA-regulated cloud migration is one of the two most common compliance overlays on cloud migration cost (FedRAMP is the other). The compliance overhead is meaningful but tractable: roughly 15 to 25 percent premium on per-workload migration cost, plus a 10 to 20 percent ongoing premium on steady-state cloud cost. This page is the 2026 cost reference for HIPAA cloud migration.
HIPAA (the US Health Insurance Portability and Accountability Act) regulates the use and disclosure of Protected Health Information (PHI). For cloud workloads handling PHI, the three primary requirements: a Business Associate Agreement (BAA) between the covered entity and the cloud provider, technical safeguards (encryption, access control, audit logging) meeting the Security Rule, and administrative safeguards (risk assessment, workforce training, incident response).
The US Department of Health and Human Services (HHS) Office for Civil Rights published cloud computing guidance in 2016 that explicitly permits PHI storage in cloud, provided the BAA is in place and the safeguards are implemented. The guidance is on the public HHS HIPAA cloud computing page. The compliance work for cloud migration is in the design discipline, not in a prohibition on cloud.
All three major hyperscalers will sign a BAA with HIPAA-covered entities. Each publishes a list of services that fall within the BAA scope. Workload design must constrain itself to BAA-eligible services for PHI-handling components; non-PHI components (development, analytics on de-identified data, supporting infrastructure) can use any service.
Hyperscaler HIPAA BAA scope (May 2026)
| Hyperscaler | BAA available | Eligible service count | Reference |
|---|---|---|---|
| AWS | Yes, via AWS Business Associate Addendum | 150+ eligible services | AWS HIPAA Eligible Services page |
| Azure | Yes, via Microsoft Online Services Terms | 140+ eligible services | Azure HIPAA / HITECH offering page |
| Google Cloud | Yes, via Google Cloud BAA | 120+ eligible services | Google Cloud HIPAA compliance page |
The BAA process itself has no direct cost; the BAA is included with the cloud subscription for eligible customers. The cost overhead arrives in the discipline required to constrain workload design to BAA-eligible services and to validate the constraint at deployment time.
The 15 to 25 percent HIPAA compliance premium is not a single line item; it is a premium applied across multiple line items in the migration cost build. The decomposition for a typical mid-market HIPAA-regulated migration:
HIPAA compliance overhead by line item, mid-market migration
| Line item | Non-regulated cost | HIPAA cost | Premium | Notes |
|---|---|---|---|---|
| Assessment and discovery | $75K | $120K | +60% | PHI discovery, data classification, BAA scope mapping |
| Architecture and design | $50K | $95K | +90% | BAA-eligible service selection, encryption design, access control |
| Migration labour (per workload) | $5,500 | $7,000 | +27% | Documentation, validation, audit trail |
| Tooling (MGN, ASR, DMS) | $30K | $40K | +33% | HIPAA-compliant configuration, additional logging |
| Network and security | $110K | $170K | +55% | Network segmentation for PHI, private endpoints |
| Identity and access management | $60K | $100K | +67% | Just-in-time access, audit, role review |
| Compliance documentation | $15K | $120K | +700% | Policies, procedures, risk assessment, evidence |
| Third-party audit / HITRUST | $0 | $80K to $400K | n/a | Annual; first-year typically higher |
| Staff training (HIPAA workforce training) | $5K | $25K | +400% | HIPAA-specific training plus standard |
| Contingency | +15% | +20% | +33% | Higher compliance contingency |
| Overall typical premium | Baseline | Baseline + 15 to 25% | n/a | Excluding HITRUST one-time |
The HITRUST decision
HIPAA does not mandate specific encryption algorithms but addresses encryption under the Security Rule's addressable safeguards. The practical interpretation across the industry is AES-256 for data at rest and TLS 1.2 or 1.3 for data in transit, both of which are default on the major cloud providers. The compliance work is not in the encryption algorithm itself; it is in the key management discipline.
The three common patterns for HIPAA key management on cloud. First, cloud-provider-managed keys (AWS KMS, Azure Key Vault, Google Cloud KMS) with cloud-provider-controlled HSMs. This is the lowest-friction pattern and the one most healthcare organisations use; the BAA covers the key management service. Second, customer-managed keys with cloud-hosted HSMs (AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM). This adds customer control over key lifecycle at additional cost (typically $1,000 to $2,500 per HSM per month). Third, customer-managed keys with on-premise HSMs (AWS External Key Store, BYOK to Azure Key Vault Premium). This is the highest-control pattern and the most operationally complex.
For most mid-market HIPAA workloads, cloud-provider-managed keys with standard KMS are sufficient and the most cost-effective. The exception is organisations with specific regulatory or legal-counsel-driven requirements for customer key control, where the additional HSM cost is justified.
HIPAA requires audit logs of PHI access. The volume and retention of these logs significantly exceeds typical non-regulated workloads. AWS CloudTrail data events, Azure Monitor diagnostic logs, and Google Cloud Audit Logs all need to capture every PHI access event with sufficient detail to support post-incident investigation. Retention is typically 6 years (HIPAA's documentation retention period).
The cost impact for a typical 100-server HIPAA migration: additional CloudTrail or Audit Log data events typically generate 5 to 50 GB per server per month, costing $50 to $500 per server per month at standard rates. SIEM integration (Splunk, Sentinel, Chronicle, Sumo Logic) for HIPAA-required monitoring typically adds $30K to $150K per year on top of existing security monitoring. Long-term retention to a cheaper storage tier (S3 Glacier, Azure Archive) typically saves 60 to 80 percent of the storage cost over the 6-year window.
A representative cost build for a HIPAA-regulated healthcare cloud migration: 100 servers including an electronic medical record (EMR) system, claims processing, patient portal, telehealth infrastructure, and supporting services. 25 TB of data including 8 TB of PHI. AWS destination. 14-month programme.
Worked HIPAA cloud migration cost build, 100 servers, AWS, 14 months
| Cost line | Low estimate | Typical estimate | High estimate |
|---|---|---|---|
| Assessment, PHI discovery, BAA scope mapping | $70,000 | $120,000 | $250,000 |
| Wave planning and PMO (14 months) | $220,000 | $340,000 | $500,000 |
| Migration labour, 90 workloads, HIPAA premium | $700,000 | $1,400,000 | $2,520,000 |
| AWS MGN tooling (HIPAA-compliant config) | $10,000 | $18,000 | $30,000 |
| AWS DMS for 5 databases (HIPAA-compliant) | $2,500 | $5,500 | $11,000 |
| AWS Snowball Edge with end-to-end encryption | $10,000 | $18,000 | $30,000 |
| AWS Direct Connect (14 months, 500 Mbps) | $30,000 | $55,000 | $95,000 |
| Parallel running, 6 months blended (PHI environments) | $420,000 | $870,000 | $1,470,000 |
| Cutover and downtime contingency (per wave) | $60,000 | $140,000 | $370,000 |
| AWS Enterprise Support (14 months) | $130,000 | $200,000 | $260,000 |
| HIPAA workforce training (40 staff) | $15,000 | $30,000 | $60,000 |
| Security rework (IAM, VPC, encryption, KMS) | $80,000 | $180,000 | $420,000 |
| HIPAA-specific monitoring (SIEM integration) | $50,000 | $110,000 | $240,000 |
| Compliance documentation and policies | $45,000 | $110,000 | $280,000 |
| HITRUST initial certification (one-time) | $80,000 | $220,000 | $400,000 |
| Risk assessment (HIPAA-specific) | $20,000 | $45,000 | $100,000 |
| Source decommission with HIPAA data destruction | $15,000 | $35,000 | $70,000 |
| Contingency at 20 percent | $390,000 | $770,000 | $1,400,000 |
| AWS MAP partner funding (healthcare track) | ($350,000) | ($550,000) | ($950,000) |
| Net HIPAA estimate | $1,997,500 | $4,116,500 | $7,556,000 |
The typical-column number, $4.1M for a 100-server HIPAA migration over 14 months, is roughly 44 percent higher than the equivalent non-regulated 100-server scenario ($2.87M). The premium decomposes into the HIPAA-specific lines (HITRUST $220K, HIPAA monitoring $110K, compliance documentation $110K, HIPAA-specific training $30K, risk assessment $45K = $515K) plus the premium applied across other lines (~$700K). The HITRUST certification is the single largest discrete addition; without HITRUST, the premium typically lands at 15 to 18 percent rather than 25 percent.
HIPAA cloud migration is tractable and well-supported by all three major hyperscalers. The 15 to 25 percent compliance overhead is real but bounded. The teams that succeed at HIPAA migration cost are the ones that scope PHI precisely (so non-PHI components avoid the overhead), use standard hyperscaler patterns (rather than building custom HIPAA-specific architecture), and apply HITRUST deliberately rather than by default. The compliance work is the cost; the technology is largely the same as non-regulated cloud migration.
A. HIPAA-compliant migrations typically cost 15 to 25 percent more than equivalent non-regulated migrations. The premium covers Business Associate Agreement (BAA) scope validation, encryption design for data at rest and in transit, access control overlay, audit logging configuration, BAA-eligible service selection, and additional documentation. A 100-server HIPAA-regulated migration that would cost $2.5M unregulated typically costs $2.9M to $3.1M with HIPAA scope.
A. Yes. All three major hyperscalers sign Business Associate Agreements with HIPAA-covered entities and offer a defined list of HIPAA-eligible services. Not all services are HIPAA-eligible: each hyperscaler publishes a list of services covered by their BAA. AWS publishes the list on the AWS HIPAA Eligible Services page; Azure publishes on the Azure HIPAA compliance offering page; Google publishes on the Google Cloud HIPAA compliance page. Workload design must constrain itself to BAA-covered services.
A. HITRUST CSF (Common Security Framework) is a certification framework that incorporates HIPAA controls plus broader security requirements. HITRUST certification is voluntary but increasingly required by healthcare partners. Initial HITRUST certification typically costs $80K to $400K depending on scope, includes a multi-month assessment process by a HITRUST-approved assessor, and requires annual reassessment. For organisations operating multiple HIPAA-regulated workloads on cloud, HITRUST certification is often the most cost-effective approach to satisfy multiple counterparty assurance requirements.
A. HIPAA does not mandate specific encryption algorithms but addresses encryption under the Security Rule's addressable safeguards. The practical interpretation is AES-256 for data at rest and TLS 1.2 or 1.3 for data in transit, both of which are default on AWS KMS, Azure Storage Service Encryption, and Google Cloud KMS. The compliance work is not in the encryption itself; it is in documenting key management, key rotation, and access control around the encryption.
A. Yes, provided the cloud provider has executed a Business Associate Agreement with the covered entity, the workload is designed using BAA-eligible services, and the access controls and audit logging meet HIPAA requirements. HHS has explicitly permitted cloud storage of Protected Health Information (PHI) since at least 2016 in their cloud computing guidance. The compliance work is in the design discipline, not in a prohibition on cloud.
A. Steady-state HIPAA-compliant operations typically add 10 to 20 percent to ongoing cloud cost. The premium covers: dedicated security operations (SOC analyst time for HIPAA-specific monitoring), additional logging and SIEM costs (audit trail retention requirements), encryption key management overhead, periodic risk assessments, and annual third-party audits or HITRUST reassessments. Healthcare organisations that operate at scale typically absorb this premium into their broader compliance operations rather than tracking it per-workload.
FedRAMP migration cost ->
Another regulated workload class
On-prem to AWS ->
MAP, EC2, Snowball
On-prem to Azure ->
Hybrid Benefit, FastTrack
On-prem to GCP ->
Sustained-use, BigQuery
100-server worked scenario ->
Non-regulated baseline
SQL Server to RDS ->
Common HIPAA workload
Strategy cost tables ->
7Rs framework
10 hidden costs ->
Detailed playbook
Updated 2 May 2026