Is AWS HIPAA Compliant? What You Need to Know, Best Practices, and Compliance Tips

AWS can support HIPAA compliance for Protected Health Information (PHI) when you sign a Business Associate Agreement (BAA), use only HIPAA‑eligible services for PHI, and configure security controls correctly. AWS secures the cloud infrastructure; you secure how PHI is created, received, maintained, and transmitted within your workloads.

This guide explains how to evaluate eligibility, implement security guardrails, and operationalize compliance. Follow these practices to minimize risk, demonstrate due diligence, and keep PHI confidential, integral, and available.

HIPAA-Eligible AWS Services

What “eligible” means

Only services designated by AWS as HIPAA‑eligible may be used to store or process PHI under your BAA. Keep PHI strictly within those services and paths; route non‑PHI or de‑identified data elsewhere. Document your data flows so you can prove that PHI never enters non‑eligible components.

Common building blocks

Organizations typically combine compute, storage, databases, analytics, and security services that appear on the HIPAA‑eligible list. For example, object and block storage with encryption, managed databases with automated backups, and serverless or container compute can all be used for PHI when covered by your BAA and configured appropriately.

Design tips for eligibility boundaries

• Segment environments (prod, dev, test) and accounts so PHI never reaches non‑eligible tooling.
• Use private networking and VPC endpoints to keep PHI traffic on private links.
• Tag resources that may contain PHI and enforce guardrails that block non‑eligible services from those segments.

Business Associate Agreement Requirements

Scope and responsibilities

The BAA permits AWS to act as a business associate and host PHI while you remain responsible for implementing administrative, technical, and physical safeguards. It requires you to use HIPAA‑eligible services for PHI and to configure them to meet security rule objectives, including access control, auditability, integrity, and transmission security.

Operational obligations you should plan for

• Maintain an inventory of systems touching PHI and restrict them to the BAA‑covered scope.
• Define breach notification procedures and an Incident Response Plan aligned to your AWS environment.
• Ensure downstream vendors or tools that receive PHI also have appropriate agreements and eligibility.

Access Control and Authentication

Least privilege with AWS Identity and Access Management (IAM)

Grant the minimum permissions required, preferring roles over long‑lived users and applying resource‑level controls. Use permission boundaries and identity‑ and resource‑based policies to constrain actions on PHI resources. Regularly review and remove unused permissions.

Strong authentication and session security

Enforce multi‑factor authentication on all human identities, disable root‑user access keys, and mandate short‑lived, federated sessions for admins and CI/CD. Use conditional policies (IP restrictions, device posture, or strong auth context) for sensitive actions such as decrypt, export, or share.

Network and data path controls

Place PHI workloads in private subnets, restrict security groups to least‑open rules, and use VPC endpoints or private links for service access. Separate production PHI from development and analytics via distinct accounts and Service Control Policies.

Data Encryption Methods

Encryption at rest

Enable default encryption on all storage used for PHI. Use AWS Key Management Service (KMS) with customer‑managed keys for granular control, key rotation, and separation of duties. For higher assurance, consider dedicated key material and quorum‑based key administration.

Encryption in transit

Require Transport Layer Security (TLS) 1.2 or higher between clients, services, and data stores. Enforce HTTPS for APIs, database connections with TLS, and private certificates where mutual TLS is appropriate. Disable weak ciphers and protocols and test regularly.

Key management practices

• Separate keys by environment, data classification, and tenant as needed.
• Limit KMS permissions (use grants and per‑call conditions) and log every decrypt.
• Back up key policies, document rotations, and define emergency access procedures.

Audit Trails and Monitoring

Comprehensive logging

Enable AWS CloudTrail organization‑wide and send logs to a centralized, write‑once location with retention aligned to your policies. Capture application logs, VPC Flow Logs, load balancer access logs, and database audit logs to reconstruct security‑relevant events touching PHI.

Threat detection and configuration assurance

Use managed detections and continuous checks to surface anomalies and misconfigurations. Correlate identity activity with network and application telemetry so you can quickly assess scope and impact during investigations.

Retention and evidence

Set immutable retention for critical audit records and maintain searchable indexes for rapid response. Keep documentation that ties controls to HIPAA requirements so assessments and incident reviews have authoritative evidence.

Backup and Disaster Recovery Strategies

Plan by RPO and RTO

Define recovery point objective (RPO) and recovery time objective (RTO) for each PHI system, then choose replication and snapshot strategies to meet them. Use multi‑AZ for high availability and cross‑Region backups or replication for regional resilience.

Backup execution

Automate snapshots and lifecycle policies, enable versioning on object stores, and protect backups with separate accounts and restricted access. Encrypt all backups with KMS and test restores regularly to validate integrity.

Disaster scenarios and exercises

Document failover runbooks and perform game‑day drills to rehearse regional outages, data corruption, and access‑key compromise. Integrate these exercises with your Incident Response Plan to verify roles, notifications, and decision points.

Regular Security Assessments

Risk analysis and risk management

Perform a formal HIPAA risk analysis for every system that touches PHI, track risks to closure, and reassess after significant changes. Map findings to technical owners and due dates so remediation is measurable.

Testing and continuous assurance

Run recurring vulnerability scans, hardening checks, and configuration drift detection. Schedule penetration tests for internet‑exposed and high‑risk components, and remediate findings with change control and post‑fix validation.

Governance and readiness

Hold periodic tabletop exercises for your Incident Response Plan, review access recertifications, and update policies as services evolve. A concise executive summary of control health and open risks keeps leadership accountable and audit‑ready.

Bottom line: AWS can be part of a HIPAA‑compliant program when you operate within a BAA, restrict PHI to HIPAA‑eligible services, and rigorously apply IAM, encryption, logging, resilience, and continuous assessment.

FAQs.

What AWS services are covered under HIPAA compliance?

Only services on AWS’s HIPAA‑eligible list are covered for PHI when you have an executed BAA. Use those services for any system that creates, receives, maintains, or transmits PHI, and keep non‑eligible services outside PHI data flows.

How does the Business Associate Agreement affect HIPAA compliance on AWS?

The BAA allows AWS to host PHI as your business associate and sets shared obligations. You must restrict PHI to eligible services, configure safeguards, monitor for incidents, and follow your Incident Response Plan; AWS secures the underlying cloud infrastructure.

What encryption standards must be used for PHI on AWS?

Encrypt PHI at rest and in transit using industry‑accepted standards, such as AES‑256 for storage and TLS 1.2 or higher for network connections. Manage keys with AWS KMS, enforce least‑privileged decrypt access, and document rotations and emergency procedures.

How often should security assessments be conducted for HIPAA compliance?

Conduct a formal risk analysis at least annually and after significant architectural or regulatory changes. Run vulnerability scans routinely (for example, monthly or quarterly), perform periodic penetration tests on high‑risk systems, and continuously monitor configurations and audit logs.