Understanding Azure, AWS, GCP, and Electronic Protected Health Information Shared Governance


This article describes the following:


Virginia Tech's Azure, AWS, and GCP environments are approved for use with ePHI; however, before you begin to use them to store or process this type of data, you must meet the following obligations outlined in the shared governance information below.

Your Obligations
Microsoft's Obligations
Amazon's Obligations
  • Amazon's obligations are outlined in the Business Associate Agreement (BAA) with Virginia Tech (Contact CCS for details)
Google's Obligations
Collaborative Computing Solutions' (CCS) Obligations
  • Licensing, secure authentication, and support of Virginia Tech's AWS, GCP, and Azure Services

1 Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes (HIPAA, Section 164.304)

Additional information regarding the use of ePHI at Virginia Tech can be found at:


It is the intent of Virginia Tech to maintain an environment in a way that promotes ethical, compliant, legal, and responsible conduct in all activities by users regarding ePHI. Any items within this article do not supersede, negate, or undermine any policies, rules, or obligations set forth by state/federal regulations or Virginia Tech.