This research is a comparative study of the institutional effects of regulatory and compliance issues surrounding cloud computing in healthcare. Our focus is on health care organizations and the IT industry, and how these two important stakeholders interpret and apply the privacy and security rules from the U.S. and EU. As an institutional environment, healthcare is experiencing coercive, normative and mimetic isomorphic pressures on macro, meso and micro levels. International governments are seeking ways to build capacity in the cloud computing market, yet they are faced with difficult issues in relation to privacy and security of personal data. Our findings suggest that regulatory and compliance is being developed ‘in response to’ rather than ‘in anticipation of’ technical change. Normative pressures to encourage healthcare organizations to develop effective data protection and privacy policies to comply with new regulatory change are further complicated in an environment where cloud data may be transferred across different legal and regulatory jurisdictions. Our findings show that healthcare organizations and cloud providers need to work more closely together as business associates. However, translating HIPAA and EU rules and regulations into practice is thwarted by a lack of legal and regulatory knowledge, particularly in the smaller organizations.