Healthcare organizations face a uniquely high-stakes challenge: delivering modern, connected care while safeguarding some of the most sensitive data in existence. The Health Insurance Portability and Accountability Act (HIPAA) establishes strict requirements for how Protected Health Information (PHI) must be stored, transmitted, and accessed.
Amazon Web Services (AWS) has invested heavily in building a cloud ecosystem that directly addresses these requirements. With 150+ services covered under its HIPAA eligibility framework and a robust Business Associate Agreement (BAA), AWS gives healthcare organizations a powerful, compliant foundation to build on — without reinventing the wheel.
This guide breaks down everything IT leaders need to know: what HIPAA compliance means in the cloud, which AWS services qualify, how to architect a compliant environment, and the common pitfalls to avoid.
1. Understanding HIPAA in the Cloud Context
HIPAA compliance is not a product you purchase — it is a shared responsibility. In the cloud, this responsibility is divided between the cloud provider (AWS) and the covered entity or business associate (your organization). AWS secures the infrastructure; you are responsible for how you configure and use it.
What is PHI? (Protected Health Information)
PHI includes any individually identifiable health information — names, dates, phone numbers, geographic data, SSNs, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, biometric identifiers, full-face photographs, and any other unique identifying numbers or codes — when linked to a patient's health or care.
The AWS Shared Responsibility Model
AWS Secures the Cloud
Physical data centers, network infrastructure, hypervisors, and managed service hardware.
You Secure in the Cloud
Your data, operating systems, applications, access controls, encryption configurations, and network architecture.
Simply deploying on AWS does not make you HIPAA-compliant. You must configure services correctly, enforce access controls, enable encryption, and maintain audit trails.
2. The AWS Business Associate Agreement (BAA)
A Business Associate Agreement (BAA) is a legal contract required by HIPAA when a covered entity shares PHI with a third-party service provider. AWS offers a standardized BAA that covers a defined set of HIPAA-eligible services.
Key BAA Requirements
- Only use HIPAA-eligible AWS services for workloads involving PHI
- Sign and execute the AWS BAA through your AWS account
- Ensure all subcontractors and vendors also have BAAs in place
- Maintain the BAA for 6 years after termination of the relationship
- Report any security incidents or breaches to AWS per agreement terms
The AWS BAA is available at no additional cost through the AWS Artifact portal. Signing it is a prerequisite — not a guarantee of compliance.
3. Core HIPAA-Eligible AWS Services
AWS maintains an official list of HIPAA-eligible services. Below are the most critical ones for healthcare workloads, organized by their role in a compliant architecture.
| AWS Service | HIPAA Role | Key Benefit |
|---|---|---|
| Amazon S3 | Secure PHI storage & archival | Server-side encryption, versioning, access logs |
| Amazon RDS | Relational database for EHR/EMR | Encryption at rest, automated backups, VPC isolation |
| Amazon EC2 | Compute for health apps | Encrypted volumes, IAM roles, security groups |
| AWS Lambda | Serverless HL7/FHIR processing | No server management, fine-grained IAM control |
| Amazon DynamoDB | NoSQL for patient records | Encryption at rest, point-in-time recovery |
| AWS KMS | Encryption key management | Customer-managed keys, audit trail via CloudTrail |
| Amazon CloudWatch | Monitoring & alerting | Log groups, metric alarms, retention policies |
| AWS CloudTrail | Audit logging of all API calls | Immutable logs, S3 delivery, 7-year retention |
| Amazon Cognito | Patient/provider authentication | MFA support, OAuth 2.0, user pools |
| AWS WAF | Web application firewall | Blocks malicious traffic, OWASP rule sets |
| Amazon VPC | Network isolation | Private subnets, NACLs, VPC Flow Logs |
| AWS Config | Compliance monitoring | Continuous resource configuration assessment |
4. Architecting a HIPAA-Compliant AWS Environment
Building compliance in requires intentional architecture decisions from day one. Here are the five pillars of a HIPAA-compliant AWS deployment.
1Network Isolation with Amazon VPC
All PHI workloads must live within a dedicated Virtual Private Cloud (VPC) with strict segmentation.
- Deploy RDS instances in private subnets with no public endpoint
- Use VPC Endpoints for S3 and DynamoDB to avoid public internet traversal
- Enable VPC Flow Logs and route them to CloudWatch for analysis
- Restrict Security Group rules to least-privilege — deny everything by default
2Encryption Everywhere
HIPAA requires PHI to be encrypted both in transit and at rest.
- Enable S3 server-side encryption (SSE-KMS) on all buckets containing PHI
- Use AWS KMS Customer Managed Keys (CMKs) for granular control and audit trails
- Enforce TLS 1.2+ for all data in transit using ACM certificates and HTTPS-only policies
- Enable encryption at rest on all RDS, EBS, and DynamoDB resources at creation time
3Identity & Access Management (IAM)
Access to PHI must be strictly controlled and auditable. Follow the principle of least privilege at every layer.
- Use IAM roles (not static credentials) for all service-to-service access
- Enforce MFA for all human access to the AWS Console
- Implement Amazon Cognito with MFA for patient-facing applications
- Use AWS Organizations SCPs to prevent compliance-breaking actions
- Review IAM Access Analyzer regularly to identify overly permissive policies
4Audit Logging & Monitoring
HIPAA requires covered entities to maintain activity logs for 6 years. Every access to PHI must be traceable.
- Enable AWS CloudTrail in all regions — log to a dedicated, tamper-proof S3 bucket
- Enable S3 Object-Level logging for buckets containing PHI
- Set up CloudWatch Alarms for unusual access patterns (e.g., mass downloads, off-hours access)
- Use Amazon GuardDuty for automated threat detection across your AWS environment
- Consider AWS Security Hub for a unified compliance dashboard
5Disaster Recovery & Data Availability
HIPAA's availability requirements demand that PHI is accessible when needed and recoverable when lost.
- Enable automated backups on RDS with a minimum 7-day retention window
- Use S3 Cross-Region Replication for critical PHI data sets
- Implement Route 53 health checks with failover routing for high-availability applications
- Document and test a Disaster Recovery (DR) plan — HIPAA requires written contingency planning
- Use AWS Backup to centralize backup policies across RDS, EBS, DynamoDB, and EFS
5. HIPAA Compliance Automation on AWS
Manual compliance checks don't scale. AWS provides native tools to automate detection and enforcement.
AWS Config Rules
Continuously evaluates your resource configurations. Use the HIPAA conformance pack for ongoing compliance visibility — pre-built rules mapped directly to HIPAA controls.
AWS Security Hub
Aggregates findings from GuardDuty, Inspector, Macie, and Config into a single HIPAA-mapped compliance dashboard with real-time severity scoring.
Amazon Macie
Uses ML to automatically discover and classify sensitive data in S3 — including PHI — and alerts you when it appears in unexpected locations like public buckets.
AWS Audit Manager
Continuously collects evidence from your AWS environment and maps it to HIPAA control requirements. Reduces weeks of audit prep to hours.
6. Common HIPAA Compliance Pitfalls on AWS
Top Mistakes to Avoid
- Storing PHI in non-HIPAA-eligible services (e.g., Elasticsearch without BAA coverage)
- Leaving S3 buckets publicly accessible or without encryption enabled
- Using root account credentials instead of IAM roles for application access
- Not enabling CloudTrail in all regions — attackers target inactive regions
- Failing to test your disaster recovery plan — documentation alone is not enough
- Logging PHI in CloudWatch Logs without access controls or retention policies
- Assuming compliance = security — compliance is a floor, not a ceiling
7. HIPAA Compliance Checklist for AWS Deployments
Use this checklist as a starting point for any PHI workload on AWS:
Conclusion
Building a HIPAA-compliant architecture on AWS is achievable, scalable, and increasingly the standard of care for healthcare IT. AWS provides a robust ecosystem of eligible services, automation tools, and compliance frameworks — but the configuration and governance remain your responsibility.
The organizations that do this well treat compliance not as a one-time checkbox exercise, but as a continuous operational practice embedded in their DevOps and security workflows. With the right architecture, the right tools, and the right processes, AWS becomes one of the most powerful platforms available for healthcare innovation — without compromising on the trust patients place in you.
Ready to Build a HIPAA-Compliant AWS Environment?
Our certified cloud architects can assess your current infrastructure and design a compliant, scalable AWS deployment tailored to your healthcare workloads.
Get a Free HIPAA Readiness AssessmentView Our Security & Compliance