safeINIT
HIPAA

AWS HIPAA Compliant: How to secure your cloud workloads

How AWS HIPAA-eligible services and security controls let you store, process, and transmit PHI while meeting federal requirements.

safeINIT

A HIPAA-compliant AWS environment lets healthcare providers, SaaS companies, and other organizations that handle Protected Health Information (PHI) meet their security and regulatory obligations. AWS offers HIPAA-eligible services and security tools for storing, processing, and transmitting PHI under federal regulations.

AWS itself is not HIPAA-certified. It provides the infrastructure and security controls that compliance depends on, and the customer configures the services and puts the technical, administrative, and physical safeguards around PHI.

What this guide covers

This guide explains what AWS HIPAA compliance actually means, which AWS services and security measures support it, and how to sign a Business Associate Agreement (BAA) with AWS so legal responsibility for protecting PHI is clear.

What does AWS HIPAA compliance mean?

Being AWS HIPAA compliant means running AWS services in line with HIPAA so that electronic Protected Health Information (ePHI) stays protected.

AWS gives you a secure cloud infrastructure and a set of HIPAA-eligible services. The security configuration and the administrative policies are yours to put in place, and full compliance depends on getting them right.

AWS and the shared responsibility model for HIPAA

The Shared Responsibility Model sets out who secures which part of the cloud environment:

  • AWS's responsibility AWS secures the underlying cloud infrastructure: data centers, networking, and physical security.
  • Customer's responsibility The organization using AWS configures services correctly, sets up access controls, encrypts PHI, and watches for security threats.

What the AWS Business Associate Agreement (BAA) does

Any organization handling PHI in AWS has to sign an AWS Business Associate Agreement (BAA). The BAA commits AWS to protecting the underlying infrastructure to HIPAA standards.

Signing a BAA does not make an organization HIPAA compliant on its own. You still have to configure your AWS services to meet the security and privacy requirements.

AWS gives you the tools for HIPAA compliance, and the legal and technical work stays with you. For how to configure your infrastructure for strict healthcare compliance, see our technical implementation guide.

Key requirements for AWS HIPAA compliance

AWS HIPAA compliance comes down to applying the security, privacy, and technical safeguards that HIPAA calls for. AWS supplies the HIPAA-eligible services and the security tools. Configuring and managing them correctly, so that electronic Protected Health Information (ePHI) stays protected, is the customer's job.

AWS Business Associate Agreement (BAA)

Any organization handling PHI in AWS has to sign an AWS Business Associate Agreement (BAA). This legal contract sets out AWS's responsibility for securing the cloud infrastructure and confirms that AWS services meet HIPAA security and privacy requirements.

AWS HIPAA-eligible services

AWS maintains a list of HIPAA-eligible services for storing, processing, or transmitting PHI. Some of the main ones:

  • Compute and storage: Amazon EC2, AWS Lambda, Amazon S3, Amazon EBS
  • Databases: Amazon RDS, Amazon Aurora, Amazon DynamoDB
  • Networking and security: AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), AWS Shield, AWS WAF
  • Monitoring and logging: AWS CloudTrail, Amazon CloudWatch, AWS Security Hub

One thing to keep in mind

Use only HIPAA-eligible services when handling PHI, and configure them to AWS security best practices.

Knowing the AWS compliance requirements is only part of the picture.

Organizations also need administrative and operational safeguards to reach full HIPAA compliance. Our guide on how to become HIPAA compliant goes into that.

How to build a HIPAA-compliant AWS architecture

A HIPAA-compliant AWS environment needs secure cloud configurations, encryption, and continuous monitoring.

You can configure AWS services by hand, but deploying a pre-configured Landing Zone built for HIPAA compliance gets you there with less risk of misconfiguration.

Architecture essentials

A HIPAA-compliant AWS architecture has to include secure VPC networking, IAM-based access controls, and real-time security monitoring with AWS-native tools.

Solutions like our HIPAA-Compliant Environment handle this with Infrastructure-as-Code, AWS Security Hub, GuardDuty, and AWS Config to automate compliance enforcement and risk management. Security and compliance work together once PHI is involved in AWS: strict IAM policies tighten access, automated failover cuts downtime risk, and AWS-native tools like GuardDuty and Security Hub keep compliance monitoring running. See how rXperius modernized its cloud infrastructure to meet HIPAA standards and harden its security at the same time.

How to sign an AWS Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is a mandatory legal contract between AWS and any organization handling Protected Health Information (PHI).

It sets out AWS's responsibilities for protecting the underlying cloud infrastructure. The customer stays responsible for security configurations, access controls, and ongoing compliance management.

Without a BAA in place, an organization cannot store, process, or transmit PHI in AWS under HIPAA.

Steps to sign an AWS BAA

Signing a BAA with AWS is straightforward:

  • 1. Review AWS's HIPAA compliance program Before signing, make sure your organization understands AWS's shared responsibility model and uses only HIPAA-eligible AWS services.
  • 2. Access the AWS BAA agreement AWS provides the BAA through the AWS Artifact portal, where customers review and accept it.
  • 3. Implement security controls Once the BAA is signed, configure your AWS environments to HIPAA requirements, with encryption, access control, and monitoring in place.

Watch out

The BAA does not make an organization HIPAA compliant on its own. It only confirms that AWS meets its infrastructure obligations. The customer still has to follow HIPAA security and privacy practices to comply.

Running regular HIPAA compliance audits in AWS

Regular audits confirm that HIPAA controls stay enforced and surface security risks before they become incidents. Organizations should run internal compliance reviews at least once a year and keep detailed logs for regulatory reporting.

AWS Security Hub, GuardDuty, and CloudTrail let you catch drift in your security controls early, which lowers the chance of a data breach or a compliance gap. See how one healthcare platform used AWS-native security automation to strengthen its compliance posture and operational resilience in this success story.

Closing thoughts

AWS HIPAA compliance is more than signing a BAA. It rests on strong access controls, continuous monitoring, and automated compliance checks. With the right AWS security tools in place, a business can detect threats in real time and hold compliance as it grows.

We help organizations deploy pre-configured landing zones, put security automation in place, and run their compliance audits. If you want a setup that keeps your workloads secure and aligned with HIPAA, drop us a message.

Frequently asked questions

Does using AWS make my app HIPAA compliant?

Not on its own. AWS gives you the infrastructure and security tools to support HIPAA compliance, but configuring the services correctly is your responsibility. That means enforcing least-privilege access, encrypting PHI, and running regular compliance audits to keep protection in place.

How do I keep my AWS environment HIPAA compliant?

HIPAA compliance is ongoing work: IAM controls, encryption, and continuous monitoring with tools like AWS Security Hub and GuardDuty. It can get complicated, and the right AWS partner makes it easier. Get in touch to see how we can help.

Which AWS services can I use for HIPAA compliance?

AWS publishes a list of HIPAA-eligible services, including Amazon S3, AWS Lambda, RDS, DynamoDB, IAM, AWS Shield, and CloudTrail. Use only these approved services to store, process, or transmit PHI.

What happens if my AWS environment fails a HIPAA audit?

Non-compliance can mean fines, legal exposure, and reputational damage. You'll need to address the security gaps right away, document the remediation, and put continuous compliance monitoring in place with tools like AWS Config and Security Hub so the same gaps don't recur.

How often should I run HIPAA compliance audits in AWS?

Audit AWS environments regularly: run internal reviews at least once a year and keep continuous security monitoring enabled. AWS Audit Manager, AWS Config, and automated compliance checks help you hold compliance over time.

Back to blog

Continue reading

HIPAA
5 May 2025

5 HIPAA Compliance Requirements startups usually miss

The HIPAA requirements health-tech startups overlook when moving fast, and what it takes to handle PHI safely.

Read article
HIPAA
17 Feb 2025

How to become HIPAA compliant in the cloud: a guide for AWS users

A step-by-step path to HIPAA compliance on AWS: security controls, BAAs, eligible services, breach response, and audits.

Read article
Serverless
18 Jul 2025

We built a serverless real time leaderboard for AWS Community Day and gave away an iPad

How we built an interactive quiz leaderboard for AWS Community Day, and the serverless architecture behind it.

Read article