AWS HIPAA-compliant cloud environments enable healthcare providers, SaaS companies, and other organizations handling Protected Health Information (PHI) to meet security and regulatory requirements. AWS offers HIPAA-eligible services and security tools to help businesses store, process, and transmit PHI while maintaining compliance with federal regulations.
However, AWS itself is not HIPAA-certified. Instead, it provides the infrastructure and security controls needed for compliance, while customers must properly configure AWS services and implement technical, administrative, and physical safeguards to protect PHI.
This guide explains what it means to be AWS HIPAA compliant, the AWS services and security measures that support compliance, and how to sign a Business Associate Agreement (BAA) with AWS to ensure legal responsibility for PHI protection.
What does it mean to be AWS HIPAA compliant?
Being AWS HIPAA compliant means using AWS services in a way that aligns with HIPAA regulations to protect electronic Protected Health Information (ePHI).
AWS provides a secure cloud infrastructure with HIPAA-eligible services, but it is up to each organization to implement the necessary security configurations and administrative policies to ensure full compliance.
AWS and the Shared Responsibility Model for HIPAA
The Shared Responsibility Model defines who is responsible for securing different aspects of the cloud environment:
- AWS’s Responsibility – AWS secures the underlying cloud infrastructure, including data centers, networking, and physical security.
- Customer’s Responsibility – The organization using AWS must configure services correctly, implement access controls, encrypt PHI, and monitor for security threats.
The Role of the AWS Business Associate Agreement (BAA)
For any organization handling PHI in AWS, signing an AWS Business Associate Agreement (BAA) is required. The BAA ensures that AWS will protect the underlying infrastructure according to HIPAA standards.
However, signing a BAA does not automatically make an organization HIPAA compliant. You must still properly configure your AWS services to meet security and privacy requirements.
AWS offers tools for HIPAA compliance, but companies must still meet legal and technical requirements. If you want to learn how to properly configure your infrastructure for strict healthcare compliance, take a look at our technical implementation guide.
Key requirements to be AWS HIPAA compliant
To be AWS HIPAA compliant, organizations must follow specific security, privacy, and technical safeguards that align with HIPAA regulations. AWS provides HIPAA-eligible services and security tools, but customers must configure and manage them correctly to protect electronic Protected Health Information (ePHI).
AWS Business Associate Agreement (BAA)
Any organization handling PHI in AWS must sign an AWS Business Associate Agreement (BAA). This legal contract establishes AWS’s responsibility for securing cloud infrastructure and ensures that AWS services meet HIPAA security and privacy requirements.
AWS HIPAA-Eligible Services
AWS has a list of HIPAA-eligible services that can be used to store, process, or transmit PHI. Some of the key services include:
- Compute & Storage: Amazon EC2, AWS Lambda, Amazon S3, Amazon EBS
- Databases: Amazon RDS, Amazon Aurora, Amazon DynamoDB
- Networking & Security: AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), AWS Shield, AWS WAF
- Monitoring & Logging: AWS CloudTrail, Amazon CloudWatch, AWS Security Hub
To ensure compliance, organizations should only use HIPAA-eligible services for handling PHI and configure them according to AWS security best practices.
Understanding AWS compliance requirements is only part of the equation—organizations must also implement administrative and operational safeguards to achieve full HIPAA compliance. Learn more in our guide on How to Become HIPAA Compliant.
How to build an AWS HIPAA-Compliant Architecture
Building an AWS HIPAA-compliant environment requires secure cloud configurations, encryption, and continuous monitoring.
While organizations can configure AWS services manually, the fastest and most effective approach is to deploy a pre-configured Landing Zone designed for HIPAA compliance.
A HIPAA-compliant AWS architecture must include secure VPC networking, IAM-based access controls, and real-time security monitoring using AWS-native tools. Solutions like our HIPAA-Compliant Environment streamline this process by leveraging Infrastructure-as-Code (IaC) methodologies, AWS Security Hub, GuardDuty, and AWS Config to automate compliance enforcement and risk management.
Security and compliance go hand in hand when handling PHI in AWS. Strict IAM policies enhance security, automated failover reduces downtime risks, and AWS-native tools like GuardDuty and Security Hub ensure continuous compliance. Check out how rXperius successfully modernized its cloud infrastructure to meet HIPAA standards while strengthening security and operational efficiency.
How to sign an AWS Business Associate Agreement (BAA)
A Business Associate Agreement (BAA) is a mandatory legal contract between AWS and any organization handling Protected Health Information (PHI). It outlines AWS’s responsibilities in protecting the underlying cloud infrastructure, while the customer remains responsible for proper security configurations, access controls, and compliance management. Without a BAA in place, an organization cannot store, process, or transmit PHI in AWS under HIPAA regulations.
Steps to Sign an AWS BAA
Signing a BAA with AWS is a straightforward process:
- Review AWS’s HIPAA Compliance Program
Before signing, ensure that your organization understands AWS’s shared responsibility model and uses only HIPAA-eligible AWS services. - Access the AWS BAA Agreement
AWS provides the BAA through the AWS Artifact portal, where customers can review and accept the agreement. - Implement Security Controls
Once the BAA is signed, organizations must configure their AWS environments according to HIPAA requirements, ensuring encryption, access control, and monitoring are in place.
! The BAA does not automatically make an organization HIPAA compliant — it only ensures that AWS meets its infrastructure obligations. The customer must still follow HIPAA security and privacy best practices to fully comply with regulations.
Conducting regular HIPAA compliance audits in AWS
Regular audits ensure that HIPAA controls remain enforced and that security risks are proactively identified and mitigated. Organizations should conduct internal compliance reviews at least annually and maintain detailed logs for regulatory reporting.
Proactive risk mitigation with AWS Security Hub, GuardDuty, and CloudTrail ensures that security controls remain intact, reducing the risk of data breaches and compliance failures. See how one healthcare platform leveraged AWS-native security automation to strengthen compliance and operational resilience in this success story.
Conclusion
AWS HIPAA compliance goes beyond signing a BAA, it requires strong access controls, continuous monitoring, and automated compliance checks. With strong AWS security tools, businesses can detect threats in real time and ensure compliance at scale.
We help organizations deploy pre-configured landing zones, enforce security automation, and streamline compliance audits. If you’re looking for a solution that ensures your workloads remain secure, resilient, and aligned with HIPAA requirements, drop us a message.
FAQ about being AWS HIPAA compliant
1. Does using AWS make my app HIPAA compliant?
Not automatically. AWS provides the infrastructure and security tools to support HIPAA compliance, but organizations are responsible for configuring services correctly. This includes enforcing least privilege access, encrypting PHI, and conducting regular compliance audits to ensure ongoing protection.
2. How can I make sure my AWS environment stays HIPAA compliant?
HIPAA compliance is an ongoing process, requiring IAM controls, encryption, and continuous monitoring with tools like AWS Security Hub and GuardDuty. Ensuring compliance can be complex, but having the right AWS partner can help. Get in touch with us to see how we can help.
3. What AWS services can I use for HIPAA compliance?
AWS offers a list of HIPAA-eligible services, including Amazon S3, AWS Lambda, RDS, DynamoDB, IAM, AWS Shield, and CloudTrail. Only these approved services should be used for storing, processing, or transmitting PHI.
4. What happens if my AWS environment fails a HIPAA audit?
Non-compliance can lead to fines, legal risks, and reputational damage. Organizations must immediately address security gaps, document remediation actions, and implement continuous compliance monitoring using tools like AWS Config and Security Hub to prevent future violations.
5. How often should I conduct HIPAA compliance audits in AWS?
AWS environments should be audited regularly, with internal reviews conducted at least annually and continuous security monitoring enabled. Using AWS Audit Manager, AWS Config, and automated compliance checks can help maintain compliance over time.