HIPAA · AWS Cloud Compliance
AWS HIPAA Compliance
Complete Implementation Guide
Build HIPAA-compliant healthcare applications on AWS. Learn about BAA signing, eligible services, architecture patterns, and implementation best practices.
AWS offers a Business Associate Addendum (BAA) through AWS Artifact — you must accept it before storing PHI, then restrict workloads to the 100+ HIPAA-eligible services it covers.
45 CFR Part 164 · HHS OCR · AWS BAA via AWS Artifact · Last reviewed June 2026
Direct Answer
To run HIPAA-regulated PHI on AWS, you accept the AWS Business Associate Addendum (BAA) through AWS Artifact and then restrict your workload to AWS's 100+ HIPAA-eligible services. Under the shared responsibility model AWS secures the underlying infrastructure, while you remain responsible for encryption, access control, audit logging, and your application — so eligibility alone does not make you compliant.
AWS Artifact
How to Sign AWS BAA
AWS offers a Business Associate Addendum (BAA) through AWS Artifact. You must sign this before storing PHI.
Sign into AWS Console
Log in with admin credentials
Navigate to AWS Artifact
Go to AWS Artifact in the console
Download BAA
Download the AWS Business Associate Addendum
Review Terms
Review the BAA terms and conditions
Accept Agreement
Electronically accept the BAA
Verify Coverage
Ensure all services you use are HIPAA-eligible
BAA Coverage
100+ HIPAA-Eligible AWS Services
AWS offers over 100 HIPAA-eligible services. Here are the most commonly used for healthcare applications:
Healthcare
AWS HealthLake
FHIR-based data store for healthcare data
Storage
Amazon S3
Object storage with encryption at rest
Database
Amazon RDS
Managed relational databases (MySQL, PostgreSQL, SQL Server)
Compute
Amazon EC2
Virtual servers with full control
Compute
AWS Lambda
Serverless compute for PHI processing
Database
Amazon DynamoDB
NoSQL database with encryption
Containers
Amazon ECS/EKS
Container orchestration services
Security
AWS KMS
Key management for encryption
Monitoring
Amazon CloudWatch
Logging and monitoring
Audit
AWS CloudTrail
API activity logging
Network
Amazon VPC
Isolated network environment
Backup
AWS Backup
Centralized backup service
Note: For a complete list of HIPAA-eligible services, visit AWS HIPAA Eligible Services Reference
Build It Right
AWS HIPAA Architecture Best Practices
Indicative Spend
AWS HIPAA Cost Estimates
Typical monthly costs for a small-to-medium healthcare application on AWS:
| Service | Estimated Cost | Usage |
|---|---|---|
| EC2 (t3.medium) | $30-50/month | Application server |
| RDS (db.t3.medium) | $50-80/month | Database |
| S3 Standard | $23/TB/month | PHI storage |
| CloudTrail | $2/100k events | Audit logging |
| KMS | $1/key/month | Encryption keys |
| AWS Backup | $0.05/GB/month | Backup storage |
Total Estimated Cost: $200-400/month for a basic HIPAA-compliant application. Costs scale with usage, data volume, and additional services.
8-Week Plan
AWS HIPAA Implementation Timeline
Week 1-2: Planning & BAA
Sign AWS BAA, design architecture, select HIPAA-eligible services
Week 3-4: Infrastructure Setup
Configure VPC, set up encryption, implement IAM policies, enable logging
Week 5-6: Application Deployment
Deploy applications, configure monitoring, set up backups, test disaster recovery
Week 7-8: Security & Compliance
Security assessment, penetration testing, compliance documentation, training
Who Owns What
AWS Shared Responsibility for HIPAA
AWS secures the cloud; you secure what you run in it. The split below shows who owns each control for a typical PHI workload — the customer-owned rows are where most compliance gaps appear.
| Control Area | Owner | What it covers |
|---|---|---|
| Physical data-center security | AWS | Facilities, hardware, and global infrastructure |
| Hypervisor & host isolation | AWS | Virtualization layer separating tenants |
| Managed-service patching | AWS | OS/runtime patching for managed services (e.g. RDS, Lambda) |
| Encryption configuration (KMS) | Customer | Enabling encryption at rest and in transit |
| IAM & access management | Customer | Least-privilege policies, MFA, key rotation |
| Audit logging (CloudTrail) | Customer | Turning on, retaining, and reviewing logs |
| Guest OS patching (EC2 / IaaS) | Customer | Patching the OS on instances you run |
| Application & data security | Customer | Secure code, input validation, PHI handling |
HIPAA is enforced by the US Department of Health and Human Services — see the HHS HIPAA portal for the Security Rule, and the AWS HIPAA compliance page for the BAA.
Frequently Asked Questions
How do I sign the AWS HIPAA BAA?
AWS provides a self-serve Business Associate Addendum (BAA) through AWS Artifact in the AWS Management Console. An account administrator reviews and electronically accepts it. Once accepted, it applies to your account, and you should restrict PHI workloads to AWS HIPAA-eligible services.
Is AWS HIPAA certified?
AWS is not "HIPAA certified" — there is no such certification. Instead, AWS signs a BAA and publishes a list of HIPAA-eligible services. Compliance is shared: AWS secures the infrastructure, and you are responsible for configuring services correctly and documenting your controls through a Security Risk Assessment.
Which AWS services are HIPAA-eligible?
AWS lists 100+ HIPAA-eligible services, including AWS HealthLake, Amazon S3, RDS, EC2, Lambda, DynamoDB, EKS, KMS, CloudWatch, CloudTrail, and VPC. Eligibility changes over time, so always confirm a specific service against the current AWS HIPAA Eligible Services Reference before placing PHI on it.
What am I responsible for under the AWS shared responsibility model?
You are responsible for security "in" the cloud: encryption settings (via KMS), IAM and access control, CloudTrail audit logging, guest-OS patching on EC2, network isolation with VPC, backups, and your application code. AWS handles security "of" the cloud — the physical infrastructure, hardware, and hypervisor.
Does AWS HealthLake make my application HIPAA compliant?
No single service makes you compliant. AWS HealthLake is a HIPAA-eligible, FHIR-based data store, but you still must sign the BAA, configure encryption and access controls, enable audit logging, run a Security Risk Assessment, and execute BAAs with your US clients. The service is a building block, not a compliance guarantee.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Cloud Compliance
Running PHI workloads on AWS, Azure and GCP compliantly.
Read moreHIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Security Rule
Administrative, physical and technical safeguards for ePHI.
Read moreBusiness Associate Agreements
What a BAA must contain and when you need one.
Read moreSOC 2 for Healthtech
Where SOC 2 meets HIPAA for healthcare SaaS selling into the US.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours