Is Amazon Chime HIPAA Compliant? BAA, Security Features, and Setup Guide

You can use Amazon Chime for HIPAA-regulated workloads when you scope Protected Health Information (PHI) to HIPAA-eligible capabilities, have an executed HIPAA Business Associate Addendum (BAA) with AWS, and apply rigorous security configuration. This guide explains eligibility, required agreements, Identity and Access Management (IAM) controls, Service-Linked Roles, AWS CloudTrail logging for compliance audit trails, and secure communications configuration—plus what the 2026 support sunset means for your roadmap.

HIPAA Eligibility and BAA Requirements

Eligibility basics

HIPAA compliance with Amazon Chime starts with service eligibility and contractual coverage. Only use features that AWS designates as HIPAA-eligible and keep PHI strictly within those boundaries. Treat all other features as non-PHI paths or disable them.

HIPAA Business Associate Addendum (BAA)

A signed BAA with AWS is mandatory before you transmit, process, or store PHI in AWS. Confirm that your master payer account (and any linked accounts) are attached to the BAA, and document which Amazon Chime capabilities are in scope under that agreement.

Scoping PHI and data handling

• Minimize PHI exposure during meetings, chat, recordings, and messaging features; prefer de-identified data when possible.
• Ensure encryption in transit (TLS) for signaling and media paths and encryption at rest for stored artifacts (for example, recordings, logs).
• Define retention schedules so PHI is kept only as long as necessary for treatment, payment, operations, or legal obligations.

Governance and documentation

Maintain written policies mapping your Amazon Chime implementation to HIPAA safeguards. Record how you restrict PHI to eligible services, how access is controlled, and how you validate configurations through periodic reviews and risk assessments.

Identity and Access Management Controls

Least-privilege IAM policies

Grant only the exact Amazon Chime and related actions administrators and automations require. Use separate roles for provisioning, auditing, and operations. Add permission boundaries or service control policies to prevent privilege creep across accounts.

Authentication and federation

Use IAM federation or AWS IAM Identity Center to connect your corporate identity provider. Enforce strong authentication (including MFA), short session durations, and conditional access for sensitive operations such as enabling recordings or modifying meeting policies.

Attribute- and context-based controls

Apply attribute-based access control (ABAC) with tags to isolate PHI-related resources by environment, tenant, or department. Add IAM condition keys to constrain actions by source VPC, IP range, or required encryption states.

Separation of duties

Divide responsibilities so no single administrator can both configure recording/storage and purge audit evidence. This reduces insider risk and supports HIPAA’s administrative safeguards.

Service-Linked Roles Integration

What service-linked roles do

Service-Linked Roles allow Amazon Chime to perform defined actions on your behalf, improving security by scoping trust and permissions. They are purpose-built, automatically created when needed, and maintained by AWS.

Secure handling of service-linked roles

• Allow automatic creation only in accounts where Amazon Chime is intended to operate with PHI.
• Do not attach additional inline policies; rely on the managed, least-privileged policy AWS supplies.
• Review the trust policy to ensure only the intended Amazon Chime service principals can assume the role.

Operational governance

Inventory Service-Linked Roles across accounts, alert on unexpected changes, and document their purpose in your system security plan. This demonstrates controlled use of delegated permissions for compliance reviews.

Logging and Monitoring with AWS CloudTrail

Enable and scope AWS CloudTrail logging

Turn on AWS CloudTrail Logging at the organization level to capture Amazon Chime control-plane API activity across all accounts and Regions. Store logs in an encrypted S3 bucket with write-once controls and lifecycle retention aligned to your HIPAA compliance audit trails policy.

Detective controls and alerting

• Stream CloudTrail to CloudWatch Logs for near-real-time detection of risky changes (for example, enabling recordings or altering retention).
• Create metric filters and alarms for high-impact events and failed authorization attempts.
• Use EventBridge rules to trigger incident workflows for security-significant actions.

Evidence and investigations

Preserve logs for the full regulatory retention period and ensure they are cryptographically protected. Document procedures for querying logs during investigations and for demonstrating control effectiveness to auditors.

Secure Setup and Configuration Practices

Pre-deployment checklist

• Confirm BAA execution and list HIPAA-eligible Amazon Chime capabilities in scope.
• Define a data flow that confines PHI to eligible paths and encrypted storage.
• Establish key management, retention, and incident response procedures.

Configuration steps

• Enforce secure communications configuration: require encrypted signaling/media paths and authenticated meeting joins.
• Restrict who can create meetings, channels, or recordings; gate these actions behind dedicated roles.
• Use customer-managed KMS keys for any recordings, transcripts, or logs that may include PHI.
• Disable or limit PSTN dial-out/in if it is not required, and document call-path handling when it is.
• Apply retention policies so meeting artifacts with PHI are deleted on schedule.

Operational safeguards

• Continuously monitor with CloudTrail, Config, and alarms for drift and anomalous access.
• Run periodic access reviews of IAM users, roles, and tokens used for Amazon Chime automation.
• Perform tabletop exercises for meeting-related incidents, including misdirected invitations and recording leaks.

Validation and testing

Before handling PHI, execute a dry run in a non-production account. Validate encryption, access paths, log integrity, and least-privilege constraints, then document results for your compliance file.

Impact of Amazon Chime Support End Date

What the end date means

With Amazon Chime support ending in 2026, you should plan to migrate well in advance. After the end date, security updates and official assistance will cease for the affected features, increasing operational and compliance risk if PHI remains in scope.

HIPAA-safe migration path

• Freeze new PHI use on features scheduled for retirement; prioritize alternatives that are HIPAA-eligible and covered by your BAA.
• Evaluate the Amazon Chime SDK or other eligible services for replacement, validating encryption, access controls, and logging.
• Update policies, diagrams, and risk assessments to reflect your target architecture.

Record retention and evidence

Export and preserve meeting artifacts and logs you must retain for compliance. Ensure CloudTrail, configuration snapshots, and administrative change records remain accessible beyond the support sunset.

Risk and communication

Brief stakeholders on the 2026 timeline, define a cutover date, and run pilot migrations. Clearly communicate how security, user experience, and compliance audit trails will be maintained throughout the transition.

Summary

Amazon Chime can support HIPAA workloads when covered by a BAA, constrained to HIPAA-eligible capabilities, and configured with strong IAM, Service-Linked Roles governance, and AWS CloudTrail logging. With support ending in 2026, prioritize an early, well-documented migration to sustain security and compliance.

FAQs

What is required to use Amazon Chime for HIPAA workloads?

You need an executed HIPAA Business Associate Addendum with AWS, must limit PHI to HIPAA-eligible Amazon Chime capabilities, and implement encryption, least-privilege IAM, Service-Linked Roles governance, and AWS CloudTrail logging with defined retention.

How does Amazon Chime implement access controls?

Access is enforced through AWS Identity and Access Management policies and roles. Use federation/MFA for administrators, apply permission boundaries and ABAC, and separate duties so no single role can both manage retention and delete evidence.

Can AWS CloudTrail be used for auditing Amazon Chime activity?

Yes. Enable organization-wide AWS CloudTrail logging to capture Amazon Chime API activity, store logs in encrypted S3, and create CloudWatch alarms. These logs form core compliance audit trails for investigations and attestations.

What are the implications of Amazon Chime support ending in 2026?

Security patches and official support for affected features will cease, so continuing to handle PHI on them increases risk. Plan and execute a migration before the 2026 deadline, preserve required records, and verify that your replacement solution is HIPAA-eligible and covered under your BAA.