HIPAA · Security & Privacy Rules · 45 CFR Parts 160, 162, 164
HIPAA on AWS — From PHI Risk to Audit-Ready in 8 Weeks
HIPAA has no formal certification. It is enforced by HHS OCR — and enforcement is reactive. We build the technical safeguards, BAA boundaries, and evidence trail your covered-entity attorney and downstream auditors need before they ever ask.
Framework
Health Insurance Portability and Accountability Act
Version
Security Rule (45 CFR §164.302–§164.318) · Privacy Rule · Breach Notification Rule
Regulator
US Department of Health and Human Services — Office for Civil Rights (HHS OCR)
Assessor type
No formal certification — HHS OCR enforces; clients often request HITRUST CSF or SOC 2 + HIPAA mapping as proxy
Scope: Any covered entity, business associate, or subcontractor that creates, receives, maintains, or transmits Protected Health Information (PHI) on AWS.
Part of the AWS Security & Compliance hub .
Who needs this
Teams that typically engage on HIPAA on AWS
EHR/EMR vendors, FHIR APIs, and clinical SaaS handling patient records
Healthcare AI workloads on Bedrock or SageMaker (foundation-model inference on PHI)
Health-tech startups onboarding hospital systems that require BAA + technical safeguard evidence
Shared Responsibility
AWS Shared Responsibility for HIPAA on AWS
What AWS does, what you do, and where the line moves under this specific framework.
AWS owns
- Signs the AWS Business Associate Addendum (BAA) directly via AWS Artifact — covers AWS as your subprocessor
- Operates HIPAA-eligible services to AWS HIPAA program standards (physical security, hypervisor, host OS, managed-service patching)
- Publishes the current HIPAA Eligible Services list — Bedrock, Bedrock AgentCore (Feb 2026), S3, KMS, RDS, DynamoDB, ECS/EKS, Lambda, SageMaker, and ~150 others
Joint
- Encryption: AWS provides KMS, you choose customer-managed CMKs and rotation policy
- Audit logging: AWS provides CloudTrail/CloudWatch, you configure retention to ≥6 years for PHI access events
- Backup and disaster recovery: AWS provides Backup, you define RPO/RTO and test restoration
You own
- §164.312(a) Access control — IAM Identity Center, MFA, role-based access, automatic logoff
- §164.312(b) Audit controls — CloudTrail multi-region, log integrity validation, Athena/Security Lake queries
- §164.312(c) Integrity — KMS-CMK at rest, immutable backups (S3 Object Lock), code-signing for clinical apps
- §164.312(d) Person-or-entity authentication — Cognito MFA, IAM Identity Center MFA, no shared accounts
- §164.312(e) Transmission security — TLS 1.2+ everywhere, ML-KEM hybrid where supported, no PHI in URLs
- Workforce training, sanction policies, vendor BAAs, Notice of Privacy Practices — your covered-entity counsel owns these
Control-by-control AWS implementation
Each control mapped to the AWS service that satisfies it
Excerpts from the full control matrix we deliver in the engagement. Not exhaustive — your audit scope drives the final mapping.
§164.308 Administrative Safeguards
Administrative safeguards are policy and procedure — but every policy needs a technical signal that proves it is operating. AWS provides those signals.
§164.308(a)(1)(ii)(A)
Risk Analysis
AWS services
IAM Access Analyzer Security Hub Essentials AWS Config AWS Trusted Advisor
Continuous risk register populated from Security Hub findings tagged HIPAA — replaces point-in-time risk assessment.
§164.308(a)(1)(ii)(D)
Information System Activity Review
AWS services
CloudTrail CloudTrail Lake Security Lake (OCSF) Amazon Detective
CloudTrail Lake queries scheduled monthly per workload; Detective for graph-based incident triage.
§164.308(a)(5)(ii)(B)
Protection from Malicious Software
AWS services
GuardDuty Malware Protection Inspector v2
Agentless EBS-snapshot malware scanning; Inspector v2 for container images and Lambda code.
§164.308(a)(6)
Security Incident Procedures
AWS services
EventBridge Step Functions Security Hub automation rules AWS Systems Manager Incident Manager
Pre-built runbooks for credential exfiltration, public S3 PHI exposure, and IAM privilege escalation.
§164.312 Technical Safeguards
The technical safeguards are where AWS-native services do the heaviest lifting. Most controls map 1:1 to a managed service.
§164.312(a)(1)
Access Control
AWS services
IAM Identity Center AWS IAM Cognito Verified Permissions (Cedar)
Workforce SSO with identity propagation; least-privilege IAM enforced via Access Analyzer; ABAC at scale.
§164.312(a)(2)(iv)
Encryption and Decryption
AWS services
KMS CloudHSM AWS Certificate Manager (with ML-KEM hybrid)
KMS-CMK with annual rotation; ACM Private CA for internal mTLS; ML-KEM hybrid TLS for long-lived data flows.
§164.312(b)
Audit Controls
AWS services
CloudTrail CloudTrail Lake CloudWatch Logs AWS Config
Multi-region CloudTrail with log file validation; ≥6-year retention via Lake; immutable log archive in dedicated account.
§164.312(c)(1)
Integrity
AWS services
S3 Object Lock AWS Backup with Vault Lock KMS-CMK AWS Signer
Immutable backups with WORM compliance mode; signed Lambda code packages.
§164.312(e)(1)
Transmission Security
AWS services
ALB/NLB with TLS 1.2+ API Gateway CloudFront AWS PrivateLink
No PHI in URL paths or query strings; PrivateLink for AWS-internal PHI flows; VPC endpoints for managed services.
Evidence pipeline
How HIPAA on AWS evidence flows continuously
Audit Manager closed to new customers on 30 April 2026. Our pipeline is what we now ship.
AWS Config conformance pack — HIPAA
AWS-published conformance pack maps Config rules to HIPAA controls. Deploy via CloudFormation StackSets across your Organization.
Security Hub Essentials
Continuous standards checks (AWS FSBP, CIS, NIST 800-53 r5) feeding HIPAA-tagged findings into your GRC tool.
CloudTrail Lake — 6-year retention
PHI access events queryable in SQL; tamper-evident; meets HHS OCR audit log retention expectations.
GRC tool sync (Vanta / Drata / Secureframe)
Read-only AWS integration so your GRC dashboard reflects live AWS state — not point-in-time screenshots.
Engagement timeline
What you get, week by week
Date-bound engagement, not an open-ended retainer. Deliverables are itemised in the SOW.
1
Week 1 — Discovery
Week 1
- PHI data flow inventory (where it enters, where it lives, where it leaves)
- AWS HIPAA-eligible services audit — flag any non-eligible service touching PHI
- BAA inventory — AWS BAA on Artifact, downstream subprocessor BAAs reviewed
2
Weeks 2–3 — Gap Assessment
Weeks 2–3
- HIPAA Security Rule control gap report (§164.308 / §164.310 / §164.312 / §164.314 / §164.316)
- IAM blast-radius analysis for PHI-handling roles
- Encryption posture review — KMS-CMK coverage, key rotation, in-transit TLS versions
3
Weeks 4–7 — Remediation
Weeks 4–7
- IaC-driven hardening (Terraform or CDK) — IAM, encryption, network segmentation
- Security Hub Essentials + Config HIPAA conformance pack deployed Org-wide
- CloudTrail Lake event store provisioned with 6-year retention
4
Week 8 — Evidence Handoff
Week 8
- Control narratives mapped to HIPAA Security Rule references
- Policy library (Information Security, Access Control, Incident Response, Vendor Management)
- Risk-assessment workbook (HHS OCR Audit Protocol mapped)
- GRC tool integration live — Vanta/Drata/Secureframe reflecting AWS state
Related guides
Deep-dive guides on HIPAA on AWS
From inside paid engagements — same patterns, more depth.
HIPAA on AWS: The Compliance Lead's Audit-Ready Checklist
An audit-prep checklist for Compliance Leads, Security Officers, and CISOs — BAA execution, documented Security Risk Assessments, workforce training, audit cadence, and the evidence packages OCR investigators expect when they show up.
Learn more
How to Implement a HIPAA-Compliant Architecture on AWS — An Engineer's Build Guide
A solutions architect's build guide for HIPAA on AWS. KMS key strategy, VPC isolation, RDS/S3/Lambda configuration patterns, IaC controls, and continuous validation — code-level decisions, not policy templates.
Learn more
HIPAA-Compliant AI on AWS Bedrock: A Production Guide for Healthcare Workloads
Production guide for HIPAA-compliant generative AI on AWS Bedrock — BAA scope, eligible models, Guardrails for PHI redaction, Knowledge Bases for RAG over clinical data, VPC isolation, and the audit evidence package OCR investigators expect.
Learn more
Related frameworks
Frameworks that overlap with this one
Multi-framework scope is the norm. Most teams certify on two or three at once.
SOC 2 Type II on AWS
CC1–CC9 trust services criteria mapped to AWS-native controls, evidence pipeline, and a CPA-firm-ready audit package — for SaaS founders facing enterprise procurement.
Learn more
ISO 27001:2022 on AWS
Annex A.5–A.8 implementation, ISMS scoping, climate-change context (Amendment 1:2024), notified-body audit prep — for SaaS expanding to EU/APAC and regulated B2B vendors.
Learn more
FAQ
Frequently asked questions about HIPAA on AWS
The questions buyers ask before signing — assessor type, timeline, cost, and AWS-specific scope.
Is HIPAA certified on AWS, or just attested?
There is no HIPAA certification — for AWS, for you, or for anyone. HHS OCR enforces HIPAA reactively, usually after a breach is reported. AWS publishes a Business Associate Addendum (BAA) on AWS Artifact and has been audited under HITRUST CSF and SOC 2 Type II for the HIPAA-aligned controls — that is the strongest objective signal available. On the customer side, most platforms layer SOC 2 Type II + HIPAA mapping (or HITRUST r2 if a hospital partner requires it) as the closest thing to a certification an external auditor can give you.
Which AWS services are HIPAA-eligible — and which are not?
AWS publishes a HIPAA Eligible Services list (~150 services). The headline eligible services include S3, EC2, Lambda, RDS, DynamoDB, ECS, EKS, Bedrock (and AgentCore as of Feb 2026), SageMaker, KMS, CloudTrail, CloudWatch, EventBridge, Step Functions, ALB, CloudFront, API Gateway, Cognito, Macie, GuardDuty, Inspector v2, and Security Hub. Common services that are NOT HIPAA-eligible: AWS Glue DataBrew, Amazon Q for Business (eligibility varies by feature), and several preview-stage services. Our gap assessment always confirms eligibility for every service in your PHI data flow before remediation begins.
Do we need to encrypt PHI at rest, in transit, or both?
Both — and HIPAA §164.312 makes encryption "addressable" rather than "required," but every modern audit treats encryption as required. At rest: KMS-CMK on every service that touches PHI (S3, EBS, RDS, DynamoDB, EFS, Backup vaults). In transit: TLS 1.2+ on every endpoint, with TLS 1.3 and ML-KEM hybrid where the AWS SDK supports it (KMS, ACM, Secrets Manager since April 2026). Internal AWS-to-AWS PHI flows should use VPC endpoints or PrivateLink to avoid traversing the public internet.
How does the BAA chain actually work?
AWS signs a BAA with you (downloadable on AWS Artifact). You sign downstream BAAs with anyone you share PHI with — third-party SaaS subprocessors, contractors, business associates. Each BAA must specify the permitted uses and disclosures of PHI, the safeguards required, and the breach notification timeline (60 days by default under HIPAA Breach Notification Rule). We help you draft the technical-safeguard sections of downstream BAAs; your covered-entity attorney owns the legal terms and the Notice of Privacy Practices.
How do AI workloads (Bedrock, SageMaker) change HIPAA scope?
Bedrock has been HIPAA-eligible since 2023, and Bedrock AgentCore was added to the HIPAA Eligible Services list in February 2026. The compliance scope changes in three ways: (1) BAA boundaries shift — your BAA must reflect that a foundation model now processes PHI. (2) Audit log retention expands to include prompt and inference logs. (3) Bedrock Guardrails (PII redaction, denied topics, contextual grounding, Automated Reasoning) are HIPAA-eligible and become evidence for §164.312(a) access control and §164.312(b) audit control extensions. Confirm the specific model you call is HIPAA-eligible — most are, but some third-party models on Bedrock have opted out.
What does an HHS OCR investigation actually look like?
OCR investigations begin with a data request — usually triggered by a breach report, a complaint, or a random audit. They will ask for your risk analysis, your policies and procedures, your BAA inventory, your audit logs for the affected period, your training records, and your incident response documentation. The 2024 HIPAA Audit Program closed-out report from OCR found that 89% of audited entities had insufficient risk analysis documentation — that is the single most common finding. Our engagements produce the risk analysis as a continuously-updated document tied to Security Hub findings, so when OCR asks, you have a living artifact rather than a 12-month-old PDF.
Book a Free HIPAA Gap Assessment
2-week read-only assessment. We map your AWS environment to HIPAA Security Rule controls, flag the gaps, and show you the remediation path. No retainer commitment.