Most HIPAA hosting comparisons are written by the hyperscalers themselves or by managed-PaaS vendors selling against them. This 5-question quiz scores AWS HIPAA-eligible services, Azure HIPAA Compliance Offering, GCP HIPAA-aligned services, Aptible, and Build-Your-Own (BAA-eligible bare-metal + your own controls) against YOUR actual PHI workload, team capacity, and budget. Operator-honest scoring · no hyperscaler kickback · BAA realities included.
Pick the answer that fits your situation. Click "Reveal Match" when done. Pure-client-side — nothing sent to any server. No email gate, no Calendly. Operator-honest scoring.
Each vendor wins a different scenario. The matchmaker quiz scores all 4 against your specific situation; below is the use-case map for context.
Best for: Widest BAA-eligible service list (200+ services) · mature HIPAA documentation · standard for healthcare SaaS · strong audit-firm familiarity · transparent shared-responsibility model · best when you also need to be SOC 2 + HITRUST
Trade-offs: BAA requires AWS-side signature (Business Associate Addendum via AWS Artifact) · YOU still own configuration controls · using non-eligible services with PHI = violation · highest learning curve for first-time HIPAA buyers
Best for: Microsoft 365 + Azure integration (HIPAA-eligible across the stack) · best when your customers are Microsoft-shop hospitals · Azure HIPAA BAA is auto-included for in-scope services · strong identity (Entra ID) for healthcare access control
Trade-offs: Less developer-friendly than AWS for startups · narrower in-scope service list · best for orgs already standardized on Microsoft tooling
Best for: Best for healthcare-AI workloads (Vertex AI, BigQuery, Healthcare API all HIPAA-aligned) · clean BAA process via Cloud Healthcare API · strong data engineering primitives · best for genomics / imaging / NLP workloads
Trade-offs: Smaller BAA-eligible service list than AWS · narrower healthcare-customer footprint · GCP enterprise sales presence weaker than AWS in healthcare verticals
Best for: HIPAA + HITRUST controls baked into the platform (you inherit compliance posture · not just BAA-eligible infra) · best for healthcare-SaaS startups without dedicated security engineering · audit-evidence ready · strong support for first-time BAA buyers
Trade-offs: Premium pricing vs hyperscalers · narrower service catalog than AWS/Azure/GCP · best for sub-100-person healthcare SaaS · lock-in is real if you need to migrate later
Best for: Full control · works for orgs with HIPAA + on-prem requirements · bare-metal providers (OVH · Hetzner with BAA · Latitude.sh with BAA) available · cheapest at high scale
Trade-offs: Full security-engineering burden · YOU own access controls + audit logs + encryption-at-rest + backup workflows + breach detection · most BAA-eligible bare-metal providers limited · best when security engineering is dedicated function not side responsibility
Things you won't see on the vendor's marketing pages. Real patterns from operators in this category.
Operator Audit · 3-5 day turnaround. morning_lap.py runs on your domain. Structured Coverage + Performance + 404 report. Operator-honest yes/no on whether the full $2K engagement fits. If you upgrade within 30 days, the $250 is credited. No retainer · no Calendly.
Sometimes the quiz score and the right answer for YOUR specific stack don't match. Operator-to-operator sanity-check in 5 messages. No Calendly, no email capture, no auto-funnel.
📲 Text PJ · 858-461-8054
Text PJ
858-461-8054