How to Get a BAA with AWS: Best Practices and HIPAA Compliance Tips

Execute a Business Associate Agreement

Before you handle electronic protected health information (ePHI) in the cloud, you need a Business Associate Agreement with AWS. A BAA (often called a Business Associate Addendum) defines each party’s duties for safeguarding ePHI and establishes how HIPAA obligations are shared in the AWS Shared Responsibility Model.

Confirm that your use case involves creating, receiving, maintaining, or transmitting ePHI. If so, designate a production account (or AWS Organizations OU) for HIPAA workloads and execute the BAA for that scope to prevent accidental sprawl of ePHI into non-BAA accounts.

How to execute the AWS BAA

• Assign an authorized signer and grant them permission to manage AWS agreements.
• Review and accept the AWS Business Associate Agreement in the console for the target account(s) or your management account.
• Archive the executed document and record the agreement’s effective date and covered accounts for audits.

What the BAA does—and doesn’t—cover

The BAA applies only when you use HIPAA-eligible AWS services to store, process, or transmit ePHI. You must configure and operate those services securely to meet the HIPAA Security Rule; AWS manages the security “of” the cloud while you secure what runs “in” the cloud.

Identify HIPAA-Eligible AWS Services

Not every AWS service is approved for ePHI. Build a current inventory of HIPAA-eligible services and restrict PHI workloads to that list. This avoids accidental data flow into non-eligible offerings that fall outside your Business Associate Agreement.

Practical guardrails

• Use AWS Organizations service control policies to deny non-eligible services in HIPAA accounts.
• Label resources that handle ePHI with tags (for example, DataClass=PHI) and validate deployments with preventive controls in CI/CD.
• Centralize service eligibility reviews and revisit them regularly as AWS adds or updates capabilities.

Implement Data Encryption

Encryption at rest and in transit is foundational to the HIPAA Security Rule. Use AWS Key Management Service to manage customer managed keys and enforce encryption across storage, databases, and backups.

Encryption at rest

• Require default encryption on Amazon S3 buckets, EBS volumes, RDS instances, and Amazon EFS file systems using KMS keys.
• Apply bucket policies and block public access on S3; enable object-level encryption and consider S3 Object Lock for immutability.
• Rotate KMS keys, restrict key administrators and users via key policies, and monitor key usage for anomalies.

Encryption in transit

• Enforce TLS for all endpoints, including ALB/NLB listeners and API Gateway; disable legacy ciphers and protocols.
• Use private connectivity (VPC endpoints, PrivateLink) for data flows that include ePHI.
• Automate certificate lifecycle with AWS Certificate Manager to prevent expirations.

Enforce Access Controls with IAM

Least privilege access is your strongest control for limiting ePHI exposure. With AWS Identity and Access Management, define role-based access, require MFA, and rely on temporary credentials for operational access.

Identity and authorization best practices

• Map job functions to IAM roles; grant only the permissions needed, with Conditions like aws:MultiFactorAuthPresent.
• Use permission boundaries and delegated administration to prevent privilege creep in large teams.
• Federate identities from your IdP and prefer short-lived sessions via AWS STS over long-lived keys.
• Protect secrets with AWS Secrets Manager and enable rotation for databases and applications.

Network access

• Place administrative interfaces behind VPN or AWS Verified Access and restrict by source networks.
• Use security groups and NACLs to implement default-deny and allow minimal, auditable paths.

Enable Logging and Monitoring

Comprehensive visibility is essential for investigation and reporting. Turn on AWS CloudTrail Audit Logs in all regions and all accounts, centralize them, and retain them according to your record-keeping requirements.

Core telemetry

• Enable organization-wide CloudTrail and deliver logs to a dedicated, encrypted S3 bucket with limited write permissions.
• Stream application and system logs to Amazon CloudWatch Logs; establish metric filters for sensitive events.
• Record configuration changes with AWS Config and evaluate rules against your HIPAA baselines.

Threat detection and alerting

• Activate Amazon GuardDuty for anomaly and threat detection across accounts and regions.
• Aggregate findings in AWS Security Hub and route alerts to on-call responders.
• Use CloudTrail Lake or log analytics to answer audit questions quickly and prove control effectiveness.

Establish Backup and Disaster Recovery Plans

Define business-driven recovery point (RPO) and recovery time (RTO) objectives for each ePHI workload. Your plans must protect data integrity, support timely restoration, and document responsibilities under the AWS Shared Responsibility Model.

Resilience patterns

• Use AWS Backup for policy-driven, encrypted backups across services; separate backup vault accounts and enable cross-region copies.
• Enable point-in-time recovery for databases where supported and schedule immutable snapshots for critical volumes.
• Choose an appropriate DR strategy (pilot light, warm standby, or active/active) and document failover runbooks.
• Test restores and DR drills regularly; validate that restored systems meet security baselines before serving traffic.

Conduct Regular Risk Assessments

Perform a HIPAA Risk Assessment at least annually and after major changes. Evaluate threats to confidentiality, integrity, and availability, and trace each risk to specific safeguards under the HIPAA Security Rule.

Operationalizing risk management

• Maintain an asset inventory of systems that store or process ePHI and rank them by business impact.
• Map controls to risks (encryption, IAM, logging, DR) and track remediation in a time-bound plan.
• Collect artifacts—BAA, architecture diagrams, test results, and change records—to demonstrate due diligence.

Conclusion

To get a BAA with AWS and stay compliant, scope your HIPAA environment, execute the agreement, use only HIPAA-eligible services, and implement strong encryption, access control, logging, and recovery. Continuously assess risk and refine controls so your cloud program reliably protects ePHI.

FAQs.

What is a BAA in the context of AWS?

A BAA is a Business Associate Agreement (often called a Business Associate Addendum) between you and AWS that allocates responsibilities for protecting ePHI. It confirms how HIPAA obligations are shared and applies only when you use HIPAA-eligible services for PHI under the AWS Shared Responsibility Model.

How do I sign a BAA with AWS?

Designate an authorized signer, review the AWS Business Associate Agreement in the console, and accept it for your account or management account in AWS Organizations. Retain a copy for your records and ensure all workloads handling ePHI run only in accounts covered by the executed agreement.

Which AWS services are HIPAA-eligible?

AWS maintains a set of HIPAA-eligible services that can process, store, or transmit ePHI under your BAA. Common building blocks include compute, storage, databases, networking, analytics, and security services such as AWS Key Management Service, AWS Identity and Access Management, and AWS CloudTrail Audit Logs. Always verify eligibility before using a service with ePHI.

How does AWS support HIPAA compliance?

AWS provides a secure, audited cloud platform, a standard BAA, and HIPAA-eligible services. You configure and operate your environment—implementing encryption, least-privilege IAM, comprehensive logging, backups, and continuous HIPAA Risk Assessment—while AWS secures the underlying infrastructure in line with the HIPAA Security Rule.