How to Get a BAA with AWS: Real-World Scenarios for HIPAA Compliance

Securing a BAA with AWS is the first concrete step to process or store Protected Health Information (PHI) in the cloud. This guide walks you through practical actions—from understanding the Business Associate Agreement to building controls, encryption, and Compliance Audit Logs—so you can meet HIPAA obligations without stalling delivery.

You will validate services, accept the agreement in AWS Artifact, harden your architecture, and set measurable guardrails. Each section includes real-world scenarios to help you apply the guidance in production.

Review AWS HIPAA Compliance Resources

What to review first

• Business Associate Agreement: Read the BAA language to understand shared obligations and permitted uses of PHI.
• AWS Artifact documents: Download the HIPAA addendum and reference materials to confirm scope and control expectations.
• Shared Responsibility Model: Separate what AWS secures (the cloud) from what you must secure (in the cloud).
• Internal policies: Align your Data Encryption Standards, incident response, and vendor risk processes with cloud operations.

Map responsibilities to workloads

Define where PHI enters, moves, and rests. Document encryption requirements, Access Management Controls, logging scope, retention, and breach-notification triggers. Identify any third parties that also need a Business Associate Agreement.

Real-world scenario

A telehealth startup plans to store session notes in object storage and run analytics weekly. Before building, the team confirms that storage and analytics services are HIPAA-eligible, drafts an audit logging plan, selects KMS key strategy, and updates onboarding to require MFA and short-lived credentials.

Identify HIPAA-Eligible AWS Services

How to check eligibility

• Use AWS Artifact to view the current list of HIPAA-Eligible Services in scope of the BAA.
• Confirm eligibility before you ingest PHI. If a service is not HIPAA-eligible, do not send PHI to it.
• Record service decisions in your design docs and risk register to support Compliance Audit Logs and reviews.

Selection patterns that work

• Core storage/compute/database for PHI; messaging/integration components configured to avoid public exposure.
• Managed services that support encryption at rest, TLS in transit, private networking, and detailed logging.

Real-world scenario

An analytics team wants a new machine learning feature. The architect checks whether the ML service is HIPAA-eligible. If eligible, they enable encryption and private endpoints; if not, they deploy a compliant alternative and keep PHI in approved data stores only.

Accept the AWS BAA Agreement

Preparation

• Decide who is authorized to sign—typically an account owner or compliance officer with legal approval.
• If you use multiple accounts, plan whether the management account will accept on behalf of the organization.

Self-service acceptance steps

• Sign in with permissions to access AWS Artifact.
• Open AWS Artifact, go to Agreements, locate the Business Associate Agreement (addendum), review, and accept.
• Download the countersigned copy and store it with your contract repository and Compliance Audit Logs.

Multi-account organizations

Use a central management account to accept the BAA and apply it to member accounts that will handle PHI. Gate creation of PHI workloads behind account vending that enforces encryption, logging, and network baselines from day one.

Real-world scenario

A health system uses separate accounts for dev, test, and prod. The compliance team accepts the BAA in the management account, restricts PHI to prod and limited test accounts, and documents the decision in their risk assessment.

Configure AWS Environment for HIPAA

Account and environment setup

• Create PHI-dedicated accounts with strict guardrails and separate non-PHI workloads to reduce blast radius.
• Automate account provisioning to include encryption defaults, logging, and baseline Access Management Controls.

Networking and data boundaries

• Use private subnets, restricted security groups, and endpoint services to keep PHI traffic inside your VPC.
• Terminate TLS with FIPS-validated cryptography where required and enforce TLS-only client connections.

Data lifecycle design

• Choose storage with server-side encryption and object-level policies; block public access by default.
• Define retention for PHI and logs; use lifecycle rules to archive, then purge per policy.

Real-world scenario

A claims-processing app ingests EDI files into an encrypted landing bucket, triggers validation with event-driven compute in private subnets, stores normalized data in encrypted databases, and exposes read-only analytics through private interfaces.

Implement Security Controls for PHI Protection

Data protection baseline

• Encrypt data at rest with KMS-managed keys; enable automatic encryption for block, file, object, and database storage.
• Encrypt data in transit with TLS 1.2+; require modern cipher suites and disable plaintext protocols.
• Use tokenization or format-preserving encryption to minimize PHI spread across systems.

Application and platform safeguards

• Harden compute images, patch frequently, and scan artifacts before deployment.
• Apply least-privilege policies to applications; restrict cross-service access with resource-level conditions.
• Enable web and API protections to reduce exposure of PHI through common attack vectors.

Backup, recovery, and immutability

• Back up PHI stores with encryption and cross-region copies; test restores regularly.
• Use immutable storage features (for example, object lock) for critical audit evidence and tamper resistance.

Manage Access and Data Encryption

Access Management Controls

• Adopt single sign-on with MFA and short session durations; eliminate long-lived access keys.
• Implement role-based access with separation of duties (build, operate, security, audit).
• Require approvals and break-glass procedures for emergency production access, with full session recording.

Key management and Data Encryption Standards

• Define key ownership, rotation, and deletion workflows; restrict who can use and administer keys.
• Use envelope encryption and per-tenant keys when serving multiple customers to limit blast radius.
• Document your Data Encryption Standards, including algorithms, key lengths, rotation cadence, and FIPS requirements.

Secrets and credentials

• Store application secrets in a managed secrets service; rotate automatically and audit access events.
• Prefer instance or workload identity over embedded credentials; disable plaintext secrets in build pipelines.

Monitor Compliance and Audit Logging

Audit logging architecture

• Enable global activity logging in every account and region; centralize logs into a dedicated, encrypted bucket.
• Protect Compliance Audit Logs with least-privilege policies, object integrity validation, and immutable retention.
• Log at the application layer too—capture access to PHI records and key clinical or billing actions.

Continuous compliance operations

• Use configuration monitoring to detect drift from HIPAA-aligned baselines (encryption off, public access, missing MFA).
• Aggregate findings into a single dashboard; triage with severity and business impact.
• Run periodic risk analyses and control effectiveness reviews; record evidence for auditors in a structured repository.

Pre-audit runbook

• Prove the BAA exists (copy from AWS Artifact), list HIPAA-Eligible Services in use, and map each to controls.
• Show incident response procedures, breach triage, and notification timelines.
• Demonstrate backup restores, key rotations, and access reviews with time-stamped evidence.

Conclusion

To get a BAA with AWS and operate compliantly, confirm HIPAA-Eligible Services, accept the agreement in AWS Artifact, and enforce encryption, least privilege, and rigorous logging. Treat controls as code, centralize Compliance Audit Logs, and validate regularly so PHI stays protected while your teams ship features safely.

FAQs.

What is a BAA in relation to AWS?

A Business Associate Agreement is a contractual addendum that designates AWS as a Business Associate for covered services so you can handle PHI in the cloud. The BAA defines shared responsibilities; it enables HIPAA use cases but does not, by itself, make your workloads compliant. You still must implement the required administrative, physical, and technical safeguards.

How do I accept the AWS BAA?

Sign in with appropriate permissions, open AWS Artifact, locate the Business Associate Agreement, review, and accept it. In multi-account setups, accept in the management account and apply it to member accounts that will process PHI. Save the countersigned document with your Compliance Audit Logs and contract records.

Which AWS services are HIPAA-eligible?

AWS publishes a list of HIPAA-Eligible Services accessible through AWS Artifact and related resources. Use only those services for PHI, verify eligibility before adopting new features, and document decisions. If a service is not HIPAA-eligible, keep PHI out of it or front it with eligible components that prevent PHI exposure.

How can I ensure my AWS environment complies with HIPAA?

Accept the BAA, select HIPAA-Eligible Services, enforce encryption in transit and at rest, implement strict Access Management Controls, segment networks, and enable comprehensive logging with immutable retention. Maintain risk analyses, test backup restores, rotate keys and secrets, and capture evidence in your Compliance Audit Logs to demonstrate continuous adherence.