AWS HIPAA Compliance Guide: BAA, Eligible Services & Implementation
If you're building a healthcare application on AWS and need HIPAA compliance, you're probably drowning in documentation, confused about which services are eligible, and wondering how to actually sign the Business Associate Agreement (BAA).
This guide cuts through the noise. We've architected 50+ HIPAA-compliant applications on AWS for healthcare startups, hospitals, and health tech companies. Here's everything you need to know.
What is AWS HIPAA Compliance?
HIPAA (Health Insurance Portability and Accountability Act) requires that Protected Health Information (PHI) be secured with specific administrative, physical, and technical safeguards. When you store or process PHI on AWS, you need:
- A signed Business Associate Agreement (BAA) with AWS
- HIPAA-eligible services only for any workload touching PHI
- Proper security controls (encryption, access controls, audit logging)
- Documentation of your compliance program
AWS doesn't make you HIPAA compliant automatically. It provides the infrastructure and tools—you're responsible for configuring them correctly.
How to Sign the AWS Business Associate Agreement (BAA)
The AWS BAA is available through AWS Artifact, a self-service portal for compliance documents. Here's the exact process:
Step 1: Sign into AWS Console
Log in with an account that has admin permissions. You need to be able to access AWS Artifact.
Step 2: Navigate to AWS Artifact
In the AWS Console, search for "AWS Artifact" or go to: https://console.aws.amazon.com/artifact
Step 3: Download the BAA
Click on "Agreements" → "AWS Business Associate Addendum" → Download the PDF to review the terms.
Step 4: Review the Terms
The BAA covers:
- AWS's responsibilities as a Business Associate
- Which services are HIPAA-eligible (100+ services)
- Your responsibilities as a Covered Entity or Business Associate
- Breach notification requirements
- Audit rights
Step 5: Accept the Agreement Electronically
Click "Accept Agreement" in AWS Artifact. This is legally binding and applies to your entire AWS account.
Step 6: Verify Coverage
After signing, verify that all services you're using are on the HIPAA-eligible services list. Using a non-eligible service with PHI violates HIPAA.
Important: The BAA must be signed BEFORE you store any PHI on AWS. Retroactive signing doesn't make past data compliant.
AWS HIPAA-Eligible Services: The Complete List
AWS offers 100+ HIPAA-eligible services. Here are the most commonly used for healthcare applications:
Compute Services
- Amazon EC2 - Virtual servers for application hosting
- AWS Lambda - Serverless compute for PHI processing
- Amazon ECS/EKS - Container orchestration
- AWS Batch - Batch processing workloads
Storage Services
- Amazon S3 - Object storage (most common for medical imaging, documents)
- Amazon EBS - Block storage for EC2 instances
- Amazon EFS - Shared file storage
- AWS Backup - Centralized backup service
Database Services
- Amazon RDS - Managed relational databases (MySQL, PostgreSQL, SQL Server, Oracle)
- Amazon DynamoDB - NoSQL database
- Amazon Aurora - High-performance MySQL/PostgreSQL
- Amazon DocumentDB - MongoDB-compatible database
Healthcare-Specific Services
- AWS HealthLake - FHIR-based data store for healthcare data (purpose-built for HIPAA)
- Amazon Comprehend Medical - NLP for medical text
- Amazon Transcribe Medical - Speech-to-text for medical conversations
Security & Compliance Services
- AWS KMS - Key management for encryption
- AWS CloudTrail - API activity logging (required for HIPAA audit trails)
- Amazon CloudWatch - Monitoring and logging
- AWS Config - Configuration compliance monitoring
- Amazon GuardDuty - Threat detection
- AWS Security Hub - Centralized security findings
Networking Services
- Amazon VPC - Isolated network environment (required for HIPAA)
- AWS PrivateLink - Private connectivity to AWS services
- AWS Direct Connect - Dedicated network connection
Full list: AWS HIPAA Eligible Services Reference
Warning: Services NOT on this list (like Amazon Lightsail, AWS Amplify, Amazon Chime) cannot be used with PHI, even if you sign the BAA.
AWS HIPAA Architecture Best Practices
Here's how to architect a HIPAA-compliant application on AWS:
1. Use VPC with Private Subnets
All PHI workloads should run in a VPC with private subnets. Public subnets should only contain load balancers and NAT gateways—never application servers with PHI access.
2. Enable Encryption at Rest
HIPAA requires encryption of PHI at rest. Use:
- S3: Enable default encryption with AWS KMS
- RDS: Enable encryption when creating the database (can't be added later)
- EBS: Enable encryption for all volumes
- DynamoDB: Enable encryption at rest
3. Enable Encryption in Transit
All PHI transmission must use TLS 1.2 or higher:
- Use Application Load Balancer with HTTPS listeners
- Configure RDS to require SSL connections
- Use VPC endpoints for S3/DynamoDB to avoid internet transit
4. Implement Least Privilege IAM Policies
Create role-based access control (RBAC) with IAM:
- Separate roles for developers, operators, and auditors
- Use IAM conditions to restrict access by IP, time, or MFA
- Enable MFA for all human users
- Use IAM roles for EC2 instances (never hardcode credentials)
5. Enable CloudTrail for All API Activity
HIPAA requires audit logs of all PHI access. Enable CloudTrail in all regions and send logs to a dedicated S3 bucket with:
- Encryption enabled
- MFA delete enabled
- Lifecycle policy to retain logs for 7 years (HIPAA requirement)
- CloudWatch Logs integration for real-time alerting
6. Use CloudWatch for Monitoring and Alerting
Set up CloudWatch alarms for:
- Failed login attempts
- Unauthorized API calls
- Changes to security groups or IAM policies
- Root account usage
- Encryption key deletion attempts
7. Enable S3 Bucket Versioning and MFA Delete
For S3 buckets containing PHI:
- Enable versioning to prevent accidental deletion
- Enable MFA delete to require multi-factor authentication for permanent deletion
- Block public access at the bucket and account level
8. Implement Automated Backup with AWS Backup
HIPAA requires data availability and disaster recovery:
- Use AWS Backup to centralize backup policies
- Set retention periods (typically 7 years for HIPAA)
- Test restore procedures quarterly
- Enable cross-region backup for disaster recovery
9. Use AWS Config for Compliance Monitoring
AWS Config continuously monitors your resources for compliance:
- Enable AWS Config rules for HIPAA (e.g., encrypted-volumes, s3-bucket-public-read-prohibited)
- Set up automatic remediation for non-compliant resources
- Generate compliance reports for auditors
10. Enable GuardDuty for Threat Detection
GuardDuty uses machine learning to detect threats:
- Compromised instances
- Reconnaissance activity
- Unauthorized data access
- Cryptocurrency mining
AWS HIPAA Cost Estimates
Here's what a typical HIPAA-compliant application costs on AWS (small-to-medium healthcare startup):
| Service | Configuration | Monthly Cost |
|---|---|---|
| EC2 (Application Server) | t3.medium (2 vCPU, 4GB RAM) | $30-50 |
| RDS (Database) | db.t3.medium PostgreSQL | $50-80 |
| S3 (PHI Storage) | 1TB Standard storage | $23 |
| CloudTrail | 100k events/month | $2 |
| KMS | 5 customer-managed keys | $5 |
| AWS Backup | 100GB backup storage | $5 |
| GuardDuty | Threat detection | $10-20 |
| VPC, CloudWatch, Config | Networking & monitoring | $20-30 |
| Total | $200-400/month |
Scaling costs:
- 10,000 users: $500-800/month
- 100,000 users: $2,000-5,000/month
- 1M+ users: $10,000-50,000/month
Costs scale primarily with data storage (S3), database size (RDS), and compute (EC2/Lambda).
AWS HIPAA Implementation Timeline
Here's a realistic 8-week timeline to go from zero to HIPAA-compliant on AWS:
Week 1-2: Planning & BAA
- Sign AWS BAA through AWS Artifact
- Design architecture (VPC, subnets, security groups)
- Select HIPAA-eligible services
- Document data flows and PHI storage locations
- Create IAM roles and policies
Week 3-4: Infrastructure Setup
- Create VPC with public/private subnets
- Set up encryption (KMS keys, S3 encryption, RDS encryption)
- Configure IAM policies and roles
- Enable CloudTrail, CloudWatch, AWS Config
- Set up VPC endpoints for S3/DynamoDB
- Configure security groups and NACLs
Week 5-6: Application Deployment
- Deploy application to EC2/ECS/Lambda
- Configure RDS with SSL enforcement
- Set up Application Load Balancer with HTTPS
- Configure CloudWatch alarms
- Set up AWS Backup policies
- Test disaster recovery procedures
Week 7-8: Security & Compliance
- Run AWS Config compliance checks
- Conduct security assessment (penetration testing)
- Document all security controls
- Create incident response plan
- Train team on HIPAA requirements
- Conduct internal audit
Ongoing: Quarterly compliance reviews, annual risk assessments, continuous monitoring.
Common AWS HIPAA Mistakes to Avoid
1. Using Non-Eligible Services
We've seen companies accidentally use Amazon Lightsail, AWS Amplify, or Amazon Chime with PHI. These are NOT HIPAA-eligible. Always check the official list.
2. Not Enabling Encryption on RDS
RDS encryption must be enabled at database creation. You can't add it later without migrating data. This is a common mistake that requires rebuilding the database.
3. Storing PHI in CloudWatch Logs
CloudWatch Logs is HIPAA-eligible, but you need to ensure PHI isn't logged in plaintext. Implement log scrubbing or use structured logging with PHI redaction.
4. Not Retaining Logs for 7 Years
HIPAA requires 6-year retention (7 years to be safe). Set S3 lifecycle policies on your CloudTrail bucket to retain logs, not delete them after 90 days.
5. Forgetting About Backups
HIPAA requires data availability. Set up automated backups with AWS Backup and TEST restore procedures. We've seen companies with backups that don't actually work.
Need Help with AWS HIPAA Compliance?
We've architected 50+ HIPAA-compliant applications on AWS for healthcare startups, hospitals, and health tech companies. Our team can help you:
- Design HIPAA-compliant AWS architecture
- Implement security controls (encryption, IAM, logging)
- Set up monitoring and alerting
- Conduct security assessments and penetration testing
- Prepare for HIPAA audits
- Optimize costs while maintaining compliance
Get expert help with AWS HIPAA compliance - free 30-minute consultation to assess your needs.
Related Resources:
- AWS HIPAA Compliance Landing Page
- Compare AWS vs Azure vs GCP for HIPAA
- HIPAA Security Rule Assessment Hub
Written by the compliance team at Tranquility Cybersecurity & Assurance. We've helped 200+ companies achieve HIPAA compliance on AWS, Azure, and GCP.
Ready to Start Your Compliance Journey?
Get a complimentary readiness assessment and customized implementation roadmap from our compliance experts.
Free Assessment
No obligation, no sales pitch
Custom Roadmap
Tailored to your organization
Expert Guidance
500+ successful audits