safeINIT

The only HIPAA Compliance guide you’ll ever need

How the HIPAA Security Rule maps to specific AWS configurations, written by the team that builds these environments for a living.

  • 5

    Sections of the HIPAA Security Rule

  • 40+

    AWS configurations

  • 26

    HIPAA + AWS terms in the glossary

Get the guide
HIPAA on AWS: The Definitive Technical Implementation Guide, book cover

Skip the part where you piece HIPAA together from a hundred AWS docs.

Every HIPAA Security Rule citation gets matched to a specific AWS configuration that satisfies it. The patterns in the guide come from production accounts safeINIT runs today, not from a whitepaper read-through.

  1. Every control, named

    HIPAA citations matched to specific AWS configurations

    Every safeguard from the Security Rule is paired with a specific AWS service and the exact setting that satisfies it. No paraphrasing the regulation. No vague 'consider using AWS Config' references. You can hand a page to an engineer and they can implement it.

  2. Drawn from real deployments

    Built from the HIPAA environments we run today

    The AWS configurations in the guide are the ones safeINIT applies on production accounts holding ePHI today. They've been through audits. They're not architecture diagrams that look right on paper.

  3. What auditors look for

    Audit-ready artifacts, by AWS service

    Encryption settings, access controls, retention policies, BAA scope. These are what take time to defend in a HIPAA assessment. Each one is paired with the AWS configuration that produces the artifact.

Preview · 1 / 4
Table of contents covering Administrative, Physical, and Technical Safeguards
Introduction to the AWS Business Associate Agreement and HIPAA controls in AWS
Section 2 on Physical Safeguards: AWS Shared Responsibility Model and S3 data backup
Section 4 on Organizational Requirements: Business Associate Contracts

Want the 25-minute version first?

Cosmin and Ovidiu walk through the same material the guide covers: the BAA, the AWS shared-responsibility line, and the configurations that decide a HIPAA audit. The guide is the deeper reference; the talk is the fast pass.

Get the full guide

Written by the team that builds HIPAA-eligible environments on AWS.

Cosmin Drimba

Cosmin Drimba

CEO, Co-Founder · safeINIT

Sets safeINIT's direction on secure, compliant cloud infrastructure for healthcare and other regulated industries. Direct point of contact on most HIPAA engagements.

  • SOLUTIONS ARCHITECT PRO
  • DEVOPS PRO
  • SECURITY SPECIALTY
View on LinkedIn
Ovidiu Chelarus

Ovidiu Chelarus

Director, Sales and Marketing · safeINIT

Runs safeINIT's go-to-market: positioning, demand generation, partner programs, and the AWS funding that backs client projects.

  • SOLUTIONS ARCHITECT
View on LinkedIn

Send your copy to your inbox.

Allow marketing cookies to load this form.

The form is hosted by HubSpot. Loading it sets cookies we treat as marketing. You can accept just for this page or open preferences to choose individually.

Frequently asked questions

Common questions about the guide and how we handle your details.

Engineering leaders and architects running healthcare workloads on AWS where ePHI is involved. If you're scaling a telehealth product, modernizing PHI pipelines, or preparing for an audit, the guide is meant to be applied to a real account. Not read once and filed.

Need help applying this to your environment?

The guide is self-contained. If you'd rather walk through it on your actual AWS account, that's what the architecture call is for.

Book an architecture callSee the case studies