HIPAA cloud cost
Healthtech engineering teams pay twice: once to AWS / GCP / Azure for the actual workload, and again in compliance overhead reconciling cost reports against the HIPAA Security Rule. Lumicost ships a real HIPAA evaluator scored against the same evidence used for cost optimization — and a Limited Use data posture that means we never process ePHI, ever. Read-only credentials, tamper-evident audit log, and an honest BAA scope you can hand your privacy officer.
The HIPAA Security Rule (45 CFR §164.308 / §164.310 / §164.312) doesn't care that you're 'just optimizing cost' — if your tooling touches systems that store, transmit, or process ePHI, it is in scope. Most FinOps tools punt on this entirely, leaving the customer to draft a one-off BAA and hope the privacy officer signs. Lumicost's posture is different: we are explicitly Limited Use. We consume cloud configuration metadata (instance shapes, IAM bindings, retention policies) and billing line items — never application traffic, never database contents, never logs that would carry ePHI. The platform then runs a real HIPAA evaluator against the evidence collected — Information System Activity Review (§164.308(a)(1)(ii)(D)), Workforce Security (§164.308(a)(3)), Information Access Management (§164.308(a)(4)), Security Incident Procedures (§164.308(a)(6)), Evaluation (§164.308(a)(8)), Physical Safeguards (§164.310, delegated to your cloud providers), Access Control (§164.312(a)), Audit Controls (§164.312(b)), Integrity (§164.312(c)), Person/Entity Authentication (§164.312(d)), Transmission Security (§164.312(e)).
ComplianceEvaluator.evaluateHipaa() in the backend scores 11 controls across §164.308 (Administrative Safeguards), §164.310 (Physical Safeguards) and §164.312 (Technical Safeguards) against the same evidence collection that powers SOC 2 and ISO 27001. PASS/FAIL/NEEDS_REVIEW per control with the exact evidence row that triggered the verdict — not a PDF with green checkmarks.
By construction, Lumicost reads only cloud configuration metadata (EC2 instance shapes, S3 bucket policies, IAM bindings, EKS pod requests, billing CUR / GCP Billing Export) and never touches application data planes. No agent in the cluster, no log shipping, no database queries, no object content access. Our IAM policies explicitly exclude `s3:GetObject` and any data-plane read. Your ePHI never leaves your boundary — even in metadata form.
Every action — recommendation accepted, commitment registered, SSO toggled, SIEM destination changed — is recorded as an append-only AuditEvent with a SHA-256 integrity hash over its core fields. Records are never updated or deleted by application code. For chain-level immutability, stream the audit log to Splunk / Datadog / Sumo Logic where your existing HIPAA retention policy seals it.
WIF on GCP, IAM Role + per-tenant external-id on AWS, App Registration on Azure — no service-account keys, no static credentials, no write paths. The IAM policies are published verbatim and reviewable by your privacy officer before signing. Revocation is one-click from your own cloud console; we lose access at the next token refresh.
EKS / GKE / AKS pod-level rightsizing for the clusters running your ePHI workloads, RI / Savings Plan / CUD amortization that doesn't disappear when you're forced to lift-and-shift across regions for residency reasons, anomaly detection on the line items that actually matter (RDS, KMS, CloudHSM, dedicated tenancy). The cost savings live on the same dataset as the evidence — one InfoSec review, one BAA conversation.
Yes — we sign a Business Associate Agreement scoped to infrastructure metadata only. Because Lumicost is Limited Use by design (we never receive, store or transmit ePHI), the BAA codifies that posture: we are a business associate of your covered entity for the purpose of cloud configuration and billing analysis, and we acknowledge the §164.308 / §164.310 / §164.312 obligations that apply to the metadata we do hold (audit log retention, access control, transmission security). Reach out for the standard BAA — it's a short document because the scope is intentionally narrow.
Eleven controls from the Security Rule: §164.308(a)(1)(ii)(D) Information System Activity Review, §164.308(a)(3) Workforce Security, §164.308(a)(4) Information Access Management, §164.308(a)(6) Security Incident Procedures, §164.308(a)(8) Evaluation, §164.310 Physical Safeguards (delegated to your CSP under their HIPAA-eligible services list), §164.312(a) Access Control, §164.312(b) Audit Controls, §164.312(c) Integrity, §164.312(d) Person or Entity Authentication, §164.312(e) Transmission Security (TLS 1.2+ at the edge). Each control returns PASS / FAIL / NEEDS_REVIEW with the underlying evidence row.
Cost optimization runs on shape and utilization metadata, not on the data inside. We see that an RDS instance is provisioned at db.r6i.4xlarge with 60% CPU headroom over 14 days — we don't see what's stored in it. We see that a Fargate task requests 4 vCPU but uses 0.6 vCPU p95 — we don't read the container's filesystem. The recommendations are PR-ready (Terraform diff, instance family change) and your team applies them in your own pipeline. The optimization signal is fully separable from the protected payload.
Yes. The same evidence rows that satisfy HIPAA §164.308 / §164.310 / §164.312 controls also map cleanly to HITRUST CSF v11 categories (Information Protection Program, Endpoint Protection, Configuration Management, Access Control, Audit Logging & Monitoring). HITRUST attestation is not a Lumicost-issued certification — it's something your organization pursues — but our evidence collection plus tamper-evident audit log give your assessor everything they need for the in-scope cloud infrastructure controls.
Connect read-only credentials, get your first insights in 24 hours.