HIPAA Compliance for Amazon Web Services (AWS): Requirements, BAA, and Best Practices

HIPAA Compliance Overview

HIPAA sets standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). When you move workloads to Amazon Web Services, your goal is not just to “host in the cloud,” but to configure, operate, and monitor environments in ways that meet the Security, Privacy, and Breach Notification Rules.

AWS provides secure building blocks, but HIPAA compliance depends on how you design and manage them. You must restrict access to ePHI, encrypt data appropriately, document safeguards and processes, and maintain continuous oversight. This article explains how to align AWS with HIPAA requirements through the Business Associate Agreement, eligible services, shared responsibility, and proven best practices.

AWS Business Associate Agreement (BAA)

A Business Associate Agreement is required when a cloud provider can create, receive, maintain, or transmit ePHI on your behalf. AWS offers a standard BAA that defines AWS’s obligations as a Business Associate and your obligations as a Covered Entity or Business Associate. You must have an executed BAA in place before placing any ePHI in AWS.

Scope and constraints

The BAA applies only to HIPAA-eligible services and to the specific AWS accounts covered by your acceptance. Using non-eligible services for ePHI is out of scope. Ensure all accounts where ePHI could exist are included and governed.

How to accept and manage the BAA

Accept the BAA in the AWS console, then document the acceptance, covered accounts, and any internal conditions for use. Revisit the agreement during mergers, divestitures, or account restructuring to confirm continued coverage across your environment.

AWS Services Eligible Under BAA

Only use services on the AWS HIPAA-eligible list for storing, processing, or transmitting ePHI. Commonly used categories include compute, storage, databases, networking, identity, logging, and key management. Examples many teams rely on include Amazon EC2, Amazon S3, Amazon EBS, Amazon RDS, AWS Lambda, Amazon DynamoDB, AWS Identity and Access Management, AWS Key Management Service, AWS CloudTrail, and Amazon CloudWatch.

Maintain an allow-list of eligible services and enforce it with service control policies and internal guardrails. Re-check eligibility before adopting new features, regions, or managed integrations, and keep architecture diagrams current so reviewers can quickly confirm that only in-scope services touch ePHI.

Security and Compliance Responsibilities

AWS follows a shared responsibility model: AWS secures the cloud infrastructure, while you secure what you build in the cloud. Your duties include data classification, identity and access controls, network segmentation, encryption, logging, vulnerability management, backup, and incident response.

Identity and access management

Use AWS Identity and Access Management to enforce least privilege. Implement MFA for administrators, short-lived credentials, and fine-grained policies. Separate duties for operations, security, and key management, and use permission boundaries and IAM Access Analyzer to prevent excessive access.

Monitoring and audit logging

Enable organization-wide AWS CloudTrail and Amazon CloudWatch for audit logging and alerting. Protect logs from alteration with versioning and write-once retention. Use AWS Config to track configuration drift, and route findings to a central security account for investigation and evidence collection.

Network and data protection

Segment workloads with VPCs, subnets, and security groups. Prefer private connectivity using VPC endpoints and restrict egress. Scan images and dependencies before deployment, patch regularly, and integrate vulnerability data into your ticketing and change-control workflows.

Best Practices for HIPAA on AWS

• Encrypt data in transit and at rest; centralize key policies with AWS Key Management Service and limit who can use or manage keys.
• Adopt a multi-account strategy to isolate environments (prod, non-prod) and ePHI from supporting services; apply guardrails with AWS Organizations.
• Harden S3 with block public access, bucket policies, and object ownership controls; enable versioning and object lock where appropriate.
• Automate infrastructure with templates so you can reproduce, review, and audit changes; require peer reviews and change approvals.
• Continuously validate compliance with AWS Config rules, preventive controls, and detective alerts tied to remediation playbooks.
• Use data minimization, de-identification, and pseudonymization to limit exposure of ePHI wherever possible.
• Test incident response regularly, including discovery, containment, forensics, notification procedures, and evidence handling.

Compliance Documentation and Audits

HIPAA expects policies, procedures, risk analysis, risk management, and ongoing evaluations. Document your scope, data flows, control owners, and technical safeguards. Store copies of your BAA, network diagrams, key inventories, and change records in a controlled repository.

Leverage native services to generate evidence: CloudTrail for activity records, Config for resource histories, and backup reports for recoverability. Map these artifacts to HIPAA Security Rule standards and maintain an audit calendar for periodic reviews and tabletop exercises.

Data Backup and Disaster Recovery

Define recovery time objectives (RTO) and recovery point objectives (RPO) for each system that handles ePHI. Use AWS Backup, database snapshots, and versioned object storage to meet those targets, and secure backups with encryption and access controls equal to or stronger than production.

Design for resilience with cross-account backups and multi-region replication where business requirements demand it. Regularly test restores, simulate region disruptions, and validate that dependencies such as IAM roles, KMS keys, and networking constructs are available during recovery.

Encryption Requirements

Encrypt ePHI in transit with modern TLS and strong cipher suites. Use server-side encryption for data at rest—SSE-KMS is recommended for centralized control and auditing—and consider client-side encryption for additional protections. Apply encryption consistently to primary data, logs, analytics outputs, and backups.

Key management with AWS KMS

Prefer customer managed keys so you can define key policies, separation of duties, and rotation schedules. Limit key administrators, restrict key usage by principal and resource, and record all key events. For strict isolation needs, evaluate dedicated HSM-backed keys and envelope encryption patterns.

Data lifecycle and retention

Align lifecycle policies with legal and business retention. Ensure archived and replicated data remains encrypted, and sanitize or destroy media when no longer required. Validate that de-identification procedures are documented and consistently applied to data sets used for testing and analytics.

Conclusion

Achieving HIPAA Compliance for Amazon Web Services (AWS) depends on clear scope, a signed BAA, disciplined use of eligible services, and rigorous controls for identity, encryption, audit logging, backup, and monitoring. When you combine sound architecture with continuous verification, you create a defensible, resilient environment for ePHI.

FAQs

What AWS services are covered under the HIPAA BAA?

The BAA covers only services on AWS’s HIPAA-eligible list and only for the accounts included in your agreement. Use an internal allow-list and guardrails to ensure ePHI touches only those eligible services, and re-verify eligibility before adopting new features or regions.

How does the shared responsibility model affect HIPAA compliance on AWS?

AWS secures the underlying cloud infrastructure; you secure everything you build and manage in it—data classification, IAM policies, network segmentation, encryption, audit logging, backups, and incident response. Compliance is a partnership, but your configurations and operations ultimately determine outcomes.

What are the encryption requirements for ePHI on AWS?

Encrypt ePHI in transit with modern TLS and at rest with strong algorithms. Use AWS Key Management Service for centralized key control, enforce least-privilege key usage, rotate keys, and log all access. Apply encryption consistently to production data, analytics outputs, logs, and backups.

How can organizations document HIPAA compliance when using AWS?

Create a clear scope, risk analysis, and control mapping; keep your executed Business Associate Agreement, architecture diagrams, key inventories, and change records. Capture evidence from CloudTrail, Config, and backup reports, and schedule periodic audits and exercises to validate controls and readiness.