HIPAA on AWS: A Complete Compliance Checklist

Building HIPAA-compliant infrastructure on AWS is achievable, but it requires deliberate architectural decisions at every layer. AWS provides the tools and services needed for compliance — but configuring them correctly is your responsibility under the shared responsibility model.

This checklist is based on our experience building HIPAA-compliant environments for healthcare organizations, health-tech startups, and any business that handles Protected Health Information (PHI) on AWS.

Understanding HIPAA on AWS

The Shared Responsibility Model for HIPAA

AWS is HIPAA-eligible, but that does not make your workload HIPAA-compliant by default. AWS is responsible for the security of the cloud (physical infrastructure, hypervisors, managed service security). You are responsible for security in the cloud (configuration, access controls, encryption, and application-level security).

What AWS guarantees: Physical data center security, network infrastructure, and the underlying security of HIPAA-eligible services.

What you must configure: Encryption, access controls, logging, monitoring, incident response, and administrative safeguards.

The Business Associate Agreement (BAA)

Before using AWS for PHI, you must have a Business Associate Agreement (BAA) in place with AWS. The BAA establishes the responsibilities of both parties for protecting PHI.

How to get the BAA: Sign the AWS BAA through the AWS Artifact console. This is a self-service process — no sales call or negotiation required. The BAA covers all HIPAA-eligible AWS services used in accounts that are part of your AWS Organization.

The HIPAA Compliance Checklist

1. Administrative Safeguards

• Execute the AWS BAA — Sign the Business Associate Agreement through AWS Artifact before processing any PHI
• Document your Security Risk Assessment — HIPAA requires a documented risk analysis identifying potential threats to PHI
• Assign a Security Officer — Designate an individual responsible for HIPAA security policies and procedures
• Create policies and procedures — Document your organization’s HIPAA policies covering access, encryption, incident response, and workforce training
• Implement workforce training — Ensure all employees who interact with PHI receive HIPAA awareness training annually
• Establish Business Associate Agreements with all third parties — Any vendor that accesses, stores, or processes PHI on your behalf needs a BAA

2. AWS Account and Organization Setup

• Use AWS Organizations — Separate HIPAA-regulated workloads into dedicated AWS accounts, isolated from non-HIPAA workloads
• Enable AWS CloudTrail — Organization-wide trail logging all API calls to a dedicated, tamper-proof S3 bucket in a log archive account
• Enable AWS Config — Record resource configurations and evaluate compliance rules across all accounts
• Enable AWS Security Hub — Centralized security findings aggregation with HIPAA-specific compliance checks
• Enable GuardDuty — Threat detection across all accounts in the Organization
• Apply Service Control Policies — Restrict launching resources in unauthorized Regions, prevent disabling CloudTrail, and enforce other organizational guardrails

3. Identity and Access Management

• Enforce MFA for all human access — Console users, CLI users, and root accounts must use MFA
• Eliminate root account usage — Root credentials should only be used for account-level tasks that require them. Enable MFA on root and store credentials securely
• Implement least-privilege IAM policies — No user or role should have AdministratorAccess or PowerUserAccess in HIPAA accounts
• Use IAM roles, not access keys — EC2 instances, Lambda functions, and ECS tasks should use IAM roles, not long-lived access keys
• Rotate credentials regularly — If access keys are necessary, enforce automatic rotation through Secrets Manager
• Implement role-based access control — Define IAM groups and roles aligned to job functions with appropriate permission boundaries
• Enable IAM Access Analyzer — Identify resources shared externally and unused permissions

4. Encryption

HIPAA requires encryption of PHI at rest and in transit. AWS provides the tools; you must configure them.

At Rest:

• S3 — Default encryption enabled (SSE-S3 or SSE-KMS with customer-managed keys)
• EBS — Encryption enabled on all volumes (using KMS keys)
• RDS — Encryption enabled on all instances (enabled at creation, cannot be added retroactively)
• DynamoDB — Encryption enabled (default with AWS-managed keys, or customer-managed KMS keys)
• ElastiCache — Encryption at rest enabled for Redis clusters
• SQS — Server-side encryption enabled with KMS keys
• SNS — Message encryption enabled for topics carrying PHI
• Kinesis — Encryption enabled for data streams
• EFS — Encryption enabled at creation
• Backup — All backups encrypted with the same or stricter key policies as source data

In Transit:

• Enforce TLS 1.2+ for all external-facing endpoints (ALB, API Gateway, CloudFront)
• Enforce SSL/TLS for database connections — rds.force_ssl parameter enabled
• Enforce HTTPS for S3 access — Bucket policy denying aws:SecureTransport = false
• VPC endpoints for AWS service access — Keep traffic off the public internet for S3, DynamoDB, SQS, and other services

Key Management:

• Use AWS KMS customer-managed keys for PHI encryption — provides audit trail via CloudTrail and granular access control
• Enable automatic key rotation — Annual rotation for KMS keys
• Restrict key policies — Only authorized roles and users can use encryption keys

5. Network Security

• Deploy PHI workloads in private subnets — No direct internet access for databases, application servers, or storage
• Use NAT Gateways for outbound internet access from private subnets
• Implement Security Groups with least-privilege rules — No 0.0.0.0/0 ingress except for public-facing load balancers on ports 80/443
• Use Network ACLs as an additional layer — Subnet-level deny rules for defense in depth
• Deploy AWS WAF on ALBs and CloudFront — Protect against OWASP Top 10 attacks
• Enable VPC Flow Logs — Capture network traffic metadata for security monitoring and incident investigation
• Implement VPC endpoints — Reduce attack surface by accessing AWS services without traversing the internet

6. Logging and Monitoring

HIPAA requires audit controls that record and examine activity in systems containing PHI.

• CloudTrail — Organization-wide trail logging all management and data events to a secured, encrypted S3 bucket with object lock (immutable logs)
• CloudWatch Logs — Application and system logs from all PHI-processing workloads
• VPC Flow Logs — Network activity captured for all VPCs handling PHI
• S3 access logging — Enabled for all buckets containing PHI
• RDS audit logging — Enabled (MySQL audit log, PostgreSQL pgaudit, or SQL Server audit)
• CloudWatch Alarms — Configured for security-relevant events:
  • Root account login
  • IAM policy changes
  • Security Group changes
  • CloudTrail configuration changes
  • Unauthorized API calls
• Log retention — Defined and enforced — HIPAA requires 6-year retention for certain records. Configure CloudWatch log retention and S3 lifecycle policies accordingly

7. HIPAA-Eligible AWS Services

Only use HIPAA-eligible services for PHI workloads. The current list includes (but is not limited to):

Important: Check the AWS HIPAA Eligible Services page for the latest list, as AWS regularly adds services.

8. Data Backup and Disaster Recovery

• Automated backups enabled for all databases (RDS, DynamoDB, Aurora)
• Cross-Region backup replication for disaster recovery (if RTO/RPO requirements warrant it)
• Backup encryption — All backups encrypted with KMS keys
• Regular backup restoration testing — Quarterly validation that backups can be restored successfully
• Documented disaster recovery plan — RPO and RTO targets defined for each PHI workload
• AWS Backup centralized policy — Consistent backup policies applied across all PHI data stores

9. Incident Response

• Documented incident response plan — Procedures for detecting, responding to, and reporting PHI breaches
• Automated detection — GuardDuty, Security Hub, and CloudWatch alarms for suspicious activity
• Automated response — Lambda functions triggered by GuardDuty findings for initial containment (e.g., isolating compromised instances)
• Breach notification procedures — Process for notifying affected individuals, HHS, and media (if applicable) within HIPAA’s 60-day requirement
• Post-incident review — Root cause analysis and remediation after every security event

10. Ongoing Compliance Monitoring

• AWS Config rules — Automated compliance checking for encryption, public access, logging, and other HIPAA requirements
• Security Hub HIPAA standard — Enable the AWS Foundational Security Best Practices standard and review findings weekly
• Quarterly access reviews — Review IAM users, roles, and permissions quarterly to remove unnecessary access
• Annual risk assessment — Update your security risk analysis annually or when significant changes occur
• Penetration testing — Annual penetration testing of HIPAA-regulated workloads (AWS permits penetration testing with notification)
• Vendor management — Review BAAs and security practices of all business associates annually

Common HIPAA Mistakes on AWS

Mistake 1: Assuming the BAA Covers All Services

The AWS BAA only covers HIPAA-eligible services. If you process PHI through a non-eligible service, you are out of compliance — even with a signed BAA. Always verify that every service in your PHI data path is on the eligible services list.

Mistake 2: Not Encrypting RDS at Creation

RDS encryption must be enabled when the instance is created. You cannot add encryption to an existing unencrypted RDS instance. The workaround is to create an encrypted snapshot, restore from it, and switch over — a process that requires downtime.

Mistake 3: Storing PHI in CloudWatch Logs Without Encryption

CloudWatch Logs can contain PHI if your application logs include patient data. Enable KMS encryption on log groups that may contain PHI, and implement log scrubbing in your application to minimize PHI in logs.

Mistake 4: Using Default VPCs

Default VPCs have permissive networking configurations. Always deploy HIPAA workloads in custom VPCs with intentionally designed subnets, routing, and security policies.

Mistake 5: No Log Retention Policy

HIPAA requires retaining certain records for 6 years. Without explicit retention policies on CloudWatch Logs and CloudTrail S3 buckets, logs may be deleted prematurely or retained indefinitely (increasing storage costs).

Getting Started with HIPAA on AWS

HIPAA compliance on AWS is achievable with the right architecture and configuration. The checklist above provides a comprehensive starting point, but every organization’s compliance requirements are different based on the type of PHI handled, the applications processing it, and the regulatory environment.

Our team has built HIPAA-compliant environments for healthcare providers, health-tech startups, and organizations handling PHI in any capacity. We can help you design, implement, and validate your compliance posture.

For broader AWS security services, see our AWS Cloud Security and Compliance page.

Contact us to build your HIPAA-compliant AWS environment →