Is AWS HIPAA Compliant? Real-World Scenarios Explained

AWS supports HIPAA compliance when you sign a Business Associate Addendum (BAA), use HIPAA-eligible AWS services, and implement required safeguards for protected health information (PHI). Compliance is achieved through correct design and operation, not by infrastructure alone.

In practice, you combine contractual assurances (the BAA) with technical controls such as AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), TLS encryption, and CloudTrail audit logging. The compliance shared responsibility model clarifies which pieces AWS secures and which you must own.

Business Associate Addendum and Its Importance

The Business Associate Addendum (BAA) is AWS’s contractual commitment to support HIPAA requirements when you create, receive, maintain, or transmit PHI on AWS. It authorizes the processing of PHI on specific, HIPAA-eligible AWS services and sets obligations for safeguarding that data.

Accepting the BAA is a prerequisite before handling PHI in your accounts. The BAA does not make your applications compliant by itself; you must configure and operate controls that meet HIPAA’s Security and Privacy Rules. Treat the BAA as the foundation, then layer identity, encryption, monitoring, and governance on top.

Operationally, map each workload component to a covered service, document how minimum necessary data is enforced, and ensure business associates and subcontractors align with the same obligations. Review the BAA scope before onboarding any new service.

HIPAA-Eligible AWS Services

HIPAA-eligible AWS services span core building blocks such as compute, storage, databases, networking, analytics, and security tooling. Typical patterns include object storage for PHI with server-side encryption, managed databases with encryption at rest and in transit, and compute orchestrated in private networks.

Design with service eligibility in mind. For example, store medical images in encrypted object storage, process them on compute instances or functions that use IAM roles, and persist clinical data to encrypted managed databases. When planning new features, verify the service is HIPAA-eligible and within your BAA’s scope before use.

To reduce risk, standardize a curated portfolio of HIPAA-eligible AWS services, block non-approved services in production, and continuously inventory what is deployed against the approved list.

Shared Responsibility Model for Compliance

The compliance shared responsibility model divides duties: AWS secures the cloud (facilities, hardware, networking, virtualization, and many managed service layers), while you secure what you put in the cloud (data, identity, network design, configurations, and workload operations).

Your responsibilities include classifying PHI, controlling who can access it, enforcing encryption, patching compute you manage, and monitoring. AWS provides the compliant-ready primitives; you implement and verify controls that meet your risk posture and HIPAA requirements.

Document control ownership for each safeguard—who builds it, who monitors it, and how exceptions are handled. This clarity accelerates audits and reduces misconfigurations.

Implementing Access Controls with IAM

AWS Identity and Access Management (IAM) is the control plane for least-privilege access to PHI. Favor roles over long-lived users, require multi-factor authentication for administrators, and federate workforce identities through single sign-on to centralize lifecycle management.

Design policies with least privilege and use permission boundaries, service control policies, and session policies to contain blast radius. Attribute-based access control (ABAC) with tags lets you express “who can access which PHI dataset and under what conditions” without sprawling policy sets.

Apply just-in-time elevated access with limited session durations, break-glass processes for emergencies, and periodic access reviews. Deny-by-default guardrails and proactive policy validation reduce accidental exposure.

Data Encryption Best Practices

Encrypt PHI at rest with AWS Key Management Service (KMS) using customer managed keys, and enforce encryption in transit with TLS encryption everywhere. For object storage, use server-side encryption with KMS keys and bucket policies that require encryption; for block and file storage, enable encryption by default.

Centralize key management: define key policies with least privilege, separate key administrators from data users, and rotate keys on a defined schedule. Use grants and dual-control change processes for sensitive keys and log every cryptographic operation for traceability.

Ensure application-layer protections complement platform encryption. Validate TLS versions and ciphers, terminate TLS only at trusted boundaries, and prefer private connectivity to keep PHI off the public internet when feasible.

Monitoring and Logging PHI Access

Enable CloudTrail audit logging in all regions and all accounts, aggregate to a secure logging account, and turn on log file integrity validation. Stream logs to a write-once, read-many destination with retention and access controls to preserve evidentiary value.

Use CloudWatch metrics, alarms, and dashboards to detect anomalous access, failed logins, policy changes, and data movement. Complement with detective controls such as threat detection and access analysis to surface risky external sharing and exfiltration paths.

Continuously evaluate configurations with rules that flag public buckets, open security groups, or unencrypted resources. Build incident response runbooks that include containment steps, forensics, and notification workflows aligned to HIPAA breach requirements.

Healthcare Provider Data Migration Example

Scenario overview

A regional healthcare provider moves on‑premises EHR data to AWS to scale analytics and improve reliability. The team signs the BAA, restricts itself to HIPAA-eligible AWS services, and builds a private, multi-account landing zone with centralized logging and key management.

Step-by-step approach

• Plan and classify: inventory PHI, define the minimum necessary data, and map each component to a HIPAA-eligible service covered by the BAA.
• Network and identity: create isolated VPCs with private subnets, endpoints for storage and KMS, and enforce IAM least privilege with federation and MFA.
• Key management: create customer managed KMS keys for storage, databases, backups, and application secrets; establish rotation and dual control.
• Secure landing zone: enable CloudTrail audit logging organization-wide, centralize logs with integrity validation, and enforce preventive guardrails.
• Encrypted transfer: move datasets using an eligible, BAA-covered transfer service; require TLS encryption and server-side encryption upon arrival.
• Data stores: place raw data in encrypted object storage, process in ephemeral compute with IAM roles, and load curated data into encrypted managed databases.
• Operations: configure monitoring, alerts for anomalous access, backup with immutability, and disaster recovery objectives aligned to clinical needs.
• Validation: run tabletop exercises, access reviews, and configuration audits before go-live; document control ownership and evidence for auditors.

Conclusion

AWS can host PHI responsibly when you pair the BAA with disciplined design: IAM-driven least privilege, KMS-backed encryption, TLS everywhere, and continuous CloudTrail-centric observability. Treat shared responsibility as a daily practice, and you can meet HIPAA requirements while delivering secure, scalable healthcare services.

FAQs

What is a Business Associate Addendum (BAA) in AWS?

The BAA is AWS’s contract that permits you to create, receive, maintain, or transmit PHI on specified, HIPAA-eligible AWS services. It defines both parties’ obligations and is required before handling PHI in your accounts. The BAA is foundational but not sufficient—you must still implement the technical and administrative safeguards HIPAA expects.

How does AWS support HIPAA compliance for PHI?

AWS provides HIPAA-eligible AWS services, strong isolation and security of the cloud, and tooling such as IAM for access control, KMS for encryption, and CloudTrail audit logging for traceability. Combined with TLS encryption and robust governance, these capabilities help you meet HIPAA requirements when correctly configured and operated.

What security controls must customers implement on AWS?

Customers must design and run controls including least-privilege IAM, MFA, network segmentation, encryption at rest with KMS and in transit with TLS, comprehensive logging and monitoring, secure key and secret management, backup and recovery, vulnerability and patch management, and documented procedures for incident response and access reviews.