How to Get a HIPAA BAA with AWS: A Beginner’s Step-by-Step Guide

Overview of AWS Business Associate Addendum

The Business Associate Addendum (BAA) is the contract that allows you to create, receive, maintain, or transmit Protected Health Information (PHI) on Amazon Web Services. It sets the terms under which AWS acts as your business associate and outlines each party’s obligations under HIPAA and HITECH.

Signing a BAA does not make you “HIPAA compliant” by itself. It simply permits PHI on HIPAA-eligible services and clarifies Compliance responsibilities. You remain responsible for security configuration, policies, workforce training, incident response, and documentation.

The BAA applies at the AWS account level and only to HIPAA-eligible services. Before you handle any PHI, you must both accept the BAA and limit PHI processing to eligible services in the accounts you designate for HIPAA workloads.

Using AWS Artifact for BAA Acceptance

The AWS Artifact portal is where you review and accept the BAA. The process takes minutes when your legal and account details are ready.

• Prepare: Identify the AWS account(s) that will host PHI, confirm who has authority to accept agreements, and determine the legal contact and notification email to use.
• Access Artifact: Sign in to the target account and open AWS Artifact. Navigate to Agreements and locate the Business Associate Addendum (BAA).
• Review and accept: Read the terms, confirm your legal entity information, and accept the agreement. Capture the agreement ID, acceptance time, and account number.
• Store evidence: Download the executed BAA and the acceptance record. File them in your compliance repository and vendor management system.
• Monitor updates: Turn on Artifact notifications so you’re alerted when AWS publishes BAA updates that may require your review.

Repeat these steps for each standalone account that will handle PHI, or manage acceptance centrally using AWS Organizations integration as described below.

Designating HIPAA Accounts in AWS

Formally separate environments that handle PHI from those that do not. A clear HIPAA Accounts designation makes controls enforceable and audits straightforward.

• Create dedicated accounts: Place PHI workloads in accounts created specifically for HIPAA use. Keep dev/test with real PHI in separate, locked-down accounts.
• Tag and inventory: Tag accounts (for example, “Data=PHI; Reg=HIPAA”) and maintain a living register mapping each HIPAA account to its accepted BAA.
• Enforce service scope: Use guardrails to allow only HIPAA-eligible services in HIPAA accounts. Deny-by-default policies reduce risk of accidental use of non-eligible services.
• Restrict Regions: Limit HIPAA accounts to approved Regions, and document where PHI may be stored and processed.
• Harden by default: Enable encryption by default, block public access to storage, require TLS, and route all logs to a separate, immutable log archive account.

Managing BAAs with AWS Organizations

If you operate multiple accounts, use AWS Organizations integration to centralize how BAAs are accepted, tracked, and enforced.

• Central ownership: Designate a management or delegated administrator account to manage agreements on behalf of member accounts.
• Scoped rollout: Apply the BAA to specific Organizational Units (OUs) that contain HIPAA accounts so only eligible environments inherit the agreement.
• Automatic coverage: Configure settings so new accounts in the HIPAA OU automatically inherit the BAA, reducing onboarding friction.
• Visibility and attestation: Periodically export an inventory of accounts covered by the BAA and reconcile it with your HIPAA account register.
• Exception handling: For accounts outside the organization or special cases, accept the BAA individually and document the exception and compensating controls.

Identifying HIPAA-Eligible AWS Services

Only use HIPAA-eligible services to create, receive, maintain, or transmit PHI. Eligibility can change over time, so verify before deployment.

• Use Artifact reports: In AWS Artifact, download the latest “services in scope” report for HIPAA to obtain the current HIPAA-eligible services list.
• Validate per service: Confirm that specific features you rely on are in scope; some features of an eligible service may have exclusions.
• Account for Region scope: Ensure the service is eligible in the Regions you plan to use.
• Operationalize enforcement: Encode the eligible service list into your service control policies and CI/CD checks so drift is detected and blocked.
• Document usage: For each workload, record which HIPAA-eligible services process PHI and where PHI is stored, transmitted, and backed up.

Common building blocks often used in HIPAA architectures include storage, compute, databases, and integration services; always confirm current eligibility and feature scope before handling PHI.

Understanding Compliance Responsibilities

HIPAA follows a shared responsibility model. The BAA documents what AWS secures and what you must implement.

• AWS responsibilities: Physical security of data centers, underlying infrastructure, and certain managed service layers as described in the BAA.
• Your responsibilities: Access controls, identity management, encryption configuration, network security, logging and monitoring, vulnerability management, backups, incident response, and workforce training.
• Administrative safeguards: Risk analysis, policies and procedures, workforce approvals, and vendor management, including downstream BAAs where required.
• Technical safeguards: Encryption in transit and at rest, key management, least-privilege IAM, audited change control, and continuous monitoring.
• Breach notification: Maintain procedures to detect, assess, and notify in accordance with HIPAA and the BAA terms.

Best Practices for HIPAA Compliance on AWS

• Architect for isolation: Separate HIPAA and non-HIPAA accounts and VPCs; minimize PHI footprint and use tokenization or de-identification where feasible.
• Encrypt everywhere: Enforce KMS-backed encryption by default for storage, databases, block volumes, and message queues; require TLS 1.2+ for all endpoints.
• Harden identity: Use SSO and MFA, short-lived credentials, permission boundaries, and least-privilege roles. Prohibit access keys in HIPAA accounts when possible.
• Guardrails and detection: Apply service control policies to restrict services and Regions; enable Config, CloudTrail, and Security Hub for continuous compliance.
• Data protection lifecycle: Classify PHI, define retention, create immutable backups with point-in-time recovery, and routinely test restores.
• Network controls: Prefer private connectivity, VPC endpoints, and zero-trust patterns; restrict egress and inspect traffic where appropriate.
• Operational rigor: Use infrastructure as code, change management, and pre-deployment controls to prevent misconfigurations from reaching production.
• Evidence management: Centralize BAA documents, acceptance records, and control attestations; keep them up to date for audits.

In summary, accept the Business Associate Addendum via the AWS Artifact portal, designate and harden HIPAA accounts, restrict usage to HIPAA-eligible services, and implement strong technical and administrative controls. Treat the BAA as the starting point and build a repeatable, well-documented program around your Compliance responsibilities.

FAQs.

What is the AWS Business Associate Addendum?

The AWS Business Associate Addendum (BAA) is the contract that allows you to use AWS to process Protected Health Information (PHI) under HIPAA. It defines the shared obligations between you and AWS and limits PHI handling to HIPAA-eligible services within covered accounts.

How do I accept a BAA through AWS Artifact?

Sign in to the target account, open the AWS Artifact portal, go to Agreements, select the Business Associate Addendum, review the terms, and accept. Download the executed BAA and record the agreement ID, acceptance timestamp, and account number for your compliance files.

Which AWS services are HIPAA-eligible?

HIPAA-eligible services are those listed in the current AWS HIPAA “services in scope” report. Eligibility can vary by feature and Region, so always verify the latest list in AWS Artifact and enforce it with guardrails before handling PHI.

Who is responsible for HIPAA compliance on AWS?

Compliance is shared. AWS secures the underlying infrastructure and publishes the BAA and related reports. You are responsible for security configuration, access control, encryption, monitoring, policies, workforce practices, and ensuring PHI is processed only by HIPAA-eligible services in designated accounts.