Organizations in healthcare and life sciences increasingly rely on Amazon Web Services (AWS) to store, process, and transmit protected health information (PHI). But moving to the cloud introduces a new challenge: ensuring your AWS environment meets HIPAA compliance requirements.

In this guide, we break down the essentials of AWS HIPAA compliance, what AWS actually takes responsibility for, what remains on you, and how to build a secure, audit-ready architecture—without slowing down your team.

---

What HIPAA Requires (and What AWS Doesn’t Do for You)

HIPAA establishes rules for protecting PHI, but it doesn’t prescribe exact cloud configurations. Instead, you must implement “administrative, technical, and physical safeguards.” On AWS, this splits into two domains:

1. AWS’s Responsibilities (Shared Responsibility Model)

AWS provides:

• Physical data center security
• Underlying host infrastructure
• Hypervisor and hardware
• Certifications & compliance documentation
• HIPAA-eligible managed services

AWS ensures the underlying platform can be used in a HIPAA-compliant manner.

2. Your Responsibilities

You must configure your environment correctly by enforcing:

• Access controls
• Encryption in transit and at rest
• Audit logging & monitoring
• Network segmentation
• Backup & disaster recovery
• Least privilege IAM
• Proper PHI handling in application code

Most HIPAA compliance failures on AWS happen due to customer misconfiguration—not AWS.

---

AWS Services That Are HIPAA Eligible

To process PHI, AWS requires you to use only HIPAA-eligible services covered under their Business Associate Addendum (BAA). Popular examples include:

• Amazon EC2
• Amazon S3
• AWS Lambda
• Amazon RDS (including Aurora)
• Amazon DynamoDB
• Amazon API Gateway
• Amazon CloudWatch
• AWS Systems Manager
• Amazon VPC
• Amazon EBS
• Amazon SNS/SQS
• AWS Secrets Manager
• AWS Shield and WAF

A full list is available in AWS Artifact after signing the BAA, but these services form the foundation of most HIPAA workloads.

---

Step-by-Step: How to Architect for AWS HIPAA Compliance

Below is a practical, real-world checklist you can use to ensure your environment aligns with HIPAA’s Security Rule.

---

1. Sign the AWS BAA Before Uploading Any PHI

You must sign the Business Associate Addendum (BAA) with AWS before storing or transmitting PHI.
This is non-negotiable and forms the legal foundation of your compliance posture.

You can enable the BAA directly in the AWS Console under AWS Artifact.

---

2. Use HIPAA-Eligible Services Only

Do not store or process PHI in services not on the HIPAA-eligible list.
Common mistakes include:

• Storing PHI in CloudWatch logs without encryption
• Using non-eligible analytics services
• Sending PHI through unapproved Lambda destinations

Build guardrails to ensure developers use only HIPAA-approved building blocks.

---

3. Enforce End-to-End Encryption

You must protect PHI:

• At rest using KMS-managed CMKs
• In transit using TLS 1.2+
• Between AWS services (VPC Endpoints, PrivateLink)

Avoid customer-managed keys unless your security program requires them; AWS KMS with rotated CMKs is typically sufficient.

---

4. Implement Strict IAM & Least Privilege

HIPAA requires strict access controls to PHI.
AWS-specific best practices include:

• Use IAM Roles instead of Access Keys
• Enforce MFA on all human users
• Limit IAM permissions to least privilege
• Use AWS SSO or an identity provider (Okta, Azure AD)
• Enable IAM Access Analyzer

Avoid sprawling IAM policies—this is one of the top causes of HIPAA violations.

---

5. Use VPC Isolation & Network Segmentation

Place HIPAA workloads in isolated VPCs and use:

• Private subnets
• Security Groups with least privilege
• NACLs to restrict lateral movement
• VPC Endpoints for S3, DynamoDB, Secrets Manager
• No public-IP EC2 instances unless absolutely required

Network segmentation reduces blast radius and is expected by HIPAA auditors.

---

6. Centralize Logging & Monitor for Compliance Drift

HIPAA requires audit logs and ongoing monitoring.
On AWS, this means:

• CloudTrail enabled across all regions
• CloudWatch Logs for all infrastructure components
• GuardDuty for threat detection
• AWS Config for configuration drift
• Security Hub for consolidated insights

Retention is key. HIPAA requires logs be available for six years (or per your internal policy).

---

7. Enable Automated Backups & Disaster Recovery

PHI must remain available even during disruptions.
AWS-native tools help you meet this requirement:

• RDS automated backups
• EBS Snapshots
• S3 versioning
• Cross-region replication
• Route 53 DNS failover
• Multi-AZ architecture for critical services

Documenting DR procedures is as important as implementing them.

---

8. Document Everything

HIPAA compliance = documentation + implementation.
Your team should maintain:

• Architecture diagrams
• Data-flow diagrams
• Access control policies
• Incident response procedures
• Backup & DR plans
• System hardening guides
• Risk assessments

Documentation must be reviewed annually (or more often for high-risk systems).

---

Common AWS HIPAA Compliance Mistakes to Avoid

Even experienced teams make these errors:

• Storing PHI in non-HIPAA services
• Leaving S3 buckets public
• Missing encryption on EBS volumes
• Excessive IAM permissions
• No centralized logging
• DR plans that exist only “in theory”
• No regular vulnerability scans
• Lambda functions writing PHI to non-encrypted logs
• Lack of configuration guardrails

Avoiding these mistakes dramatically reduces your audit fatigue.

---

How Absolute Ops Helps You Stay AWS HIPAA Compliant

Absolute Ops provides a free cloud audit that examines your AWS environment against common risk areas, including:

• Cost and Efficiency
• Security and Governance
• Availability and Resilience
• Performance and Scalability
• Best Practices and Cloud Maturity

This will provide a strong foundation to start your HIPAA compliance journey on. We can also provide additional audit services analyzing your actual HIPAA posture.

You get a prioritized action plan showing where PHI is at risk, where cost is leaking, and how to strengthen your architecture.

Whether you're preparing for HIPAA, HITRUST, SOC 2, or internal compliance, we help you stay secure, available, and audit-ready.

---

Final Thoughts

Achieving HIPAA compliance on AWS isn’t about checking boxes—it’s about building a secure, resilient, cost-efficient environment that protects patient data at every layer.

With the right architecture, guardrails, and monitoring in place, AWS offers one of the most secure platforms for healthcare workloads.

If you want help evaluating your cloud against HIPAA requirements, Absolute Ops can run a free audit and provide clear next steps.

---

Need help with AWS HIPAA compliance? Start with a free audit today.