Many healthcare organizations want to move workloads to AWS but stall because they’re uncertain how to maintain HIPAA compliance in the cloud. The good news: AWS provides the tools and certifications needed for HIPAA-eligible services. The challenge is implementing them correctly.
AWS has been HIPAA-eligible since 2013 and currently offers over 150 services that can be used in HIPAA-compliant architectures. But eligibility doesn’t equal compliance. The responsibility for meeting HIPAA requirements is shared between AWS (securing the underlying infrastructure) and your organization (configuring services correctly and managing access appropriately).
Start with the Business Associate Agreement
Before any ePHI touches AWS infrastructure, you need an executed Business Associate Agreement (BAA) with AWS. This isn’t optional. Under HIPAA, any entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity is a business associate and requires a BAA.
AWS offers a standard BAA through AWS Artifact at no additional cost. Access it through the AWS Management Console, review the terms, and accept it for each AWS account that will handle ePHI. The AWS HIPAA Eligible Services Reference lists which services are covered under the BAA, and this list updates regularly as AWS adds new services.
Key point: only use HIPAA-eligible services for ePHI workloads. If a service isn’t on the eligible list, it’s not covered by the BAA, and using it for ePHI creates compliance exposure.
Encryption Requirements: Data at Rest and in Transit
HIPAA requires appropriate safeguards for ePHI, and encryption is the most straightforward way to meet this requirement. AWS provides native encryption capabilities for eligible services, but you need to enable and configure them correctly.
Data at rest: Enable encryption for all storage services handling ePHI. For Amazon S3, use server-side encryption with AWS Key Management Service (SSE-KMS) rather than SSE-S3, as KMS provides better key management controls and audit capabilities. For Amazon RDS and Amazon EBS, enable encryption at volume creation since you cannot encrypt existing unencrypted volumes in place. Amazon DynamoDB offers encryption at rest by default for new tables.
Data in transit: Enforce TLS 1.2 or higher for all data transmission. Configure S3 bucket policies to deny requests that don’t use HTTPS. Use AWS Certificate Manager to provision and manage SSL/TLS certificates for load balancers and CloudFront distributions. For internal communications between services, use VPC endpoints to keep traffic within the AWS network rather than traversing the public internet.
Key management: AWS KMS provides centralized key management with automatic rotation and detailed audit logs. Create customer-managed keys (CMKs) for ePHI workloads rather than using AWS-managed keys, as CMKs give you greater control over key policies and rotation schedules. The AWS KMS documentation provides detailed guidance on key management best practices.
Access Controls: Least Privilege and Strong Authentication
HIPAA’s access control requirements translate directly to AWS Identity and Access Management (IAM) configuration. The principle of least privilege should guide every IAM policy: grant only the permissions necessary for each user, role, or service to perform its specific function.
IAM best practices for HIPAA: Avoid using the root account for daily operations. Create individual IAM users for each person who needs AWS access. Use IAM roles for applications and services rather than embedding credentials. Implement permission boundaries to limit the maximum permissions that can be granted to users or roles.
Multi-factor authentication (MFA): Enable MFA for all IAM users, especially those with console access or administrative privileges. The Change Healthcare breach in 2024 succeeded partly because the compromised Citrix portal lacked MFA protection, contributing to what became the largest healthcare data breach in history affecting an estimated 190 million individuals according to the HHS breach portal.
Service control policies: For organizations using AWS Organizations, implement service control policies (SCPs) to establish guardrails across all accounts. SCPs can prevent the use of non-HIPAA-eligible services, enforce encryption requirements, or restrict regions where resources can be deployed.
Audit Logging: Creating the Compliance Trail
HIPAA requires audit controls to record and examine activity in systems containing ePHI. AWS provides multiple services that work together to create a comprehensive audit trail.
AWS CloudTrail: Enable CloudTrail in all regions and configure it to log to a centralized S3 bucket with encryption and versioning enabled. CloudTrail captures API calls across your AWS accounts, showing who did what, when, and from where. For HIPAA compliance, retain logs for at least six years, the standard retention period for HIPAA-related records.
Amazon CloudWatch: Use CloudWatch Logs to capture application-level logging from EC2 instances, containers, and Lambda functions. CloudWatch alarms can alert you to suspicious activity patterns or configuration changes that might affect compliance.
AWS Config: Enable AWS Config to track resource configurations over time and evaluate them against compliance rules. AWS provides managed rules that align with HIPAA requirements, or you can create custom rules for organization-specific policies. Config provides the evidence trail that demonstrates continuous compliance, not just point-in-time assessments.
VPC Flow Logs: Enable flow logs for VPCs handling ePHI to capture network traffic metadata. This data helps with security analysis, troubleshooting, and demonstrating appropriate network controls during compliance audits.
Network Architecture for HIPAA Workloads
Proper network segmentation isolates ePHI workloads and limits the blast radius of any security incident.
VPC design: Create dedicated VPCs for HIPAA workloads rather than mixing them with non-regulated systems. Use private subnets for databases and application servers, with public subnets only for load balancers and bastion hosts that require internet accessibility. Implement multiple availability zones for resilience.
Security groups and NACLs: Configure security groups as the primary network access control, allowing only necessary traffic between tiers. Use network access control lists (NACLs) as an additional layer for subnet-level controls. Document the purpose of each rule and review regularly.
VPC endpoints: Use VPC endpoints (gateway endpoints for S3 and DynamoDB, interface endpoints for other services) to access AWS services without sending traffic over the public internet. This reduces exposure and simplifies compliance by keeping ePHI traffic within the AWS network.
Putting It Together: A Reference Architecture
A typical HIPAA-compliant architecture on AWS includes several layers working together. The application tier runs in private subnets across multiple availability zones, fronted by an Application Load Balancer in public subnets with an AWS WAF for additional protection. The database tier uses Amazon RDS with Multi-AZ deployment, encrypted storage, and no direct internet access.
Monitoring and logging flow to a centralized security account with CloudTrail logs, Config recordings, and CloudWatch metrics aggregated for analysis. Backup and disaster recovery leverage AWS Backup for centralized policy management, with cross-region replication for critical data.
As an AWS Premier Tier Partner with deep healthcare experience, Opti9 helps organizations design and implement HIPAA-compliant architectures that balance security requirements with operational efficiency. The architectures leverage AWS best practices while accounting for each organization’s specific compliance obligations and technical constraints.
Common Mistakes to Avoid
Several patterns frequently create compliance gaps in AWS healthcare deployments. Using non-HIPAA-eligible services for ePHI processing, even temporarily, violates BAA coverage. Relying solely on AWS-managed encryption keys limits your key management control and audit capabilities. Granting broad IAM permissions because “it’s easier” undermines the access controls HIPAA requires.
Treating compliance as a one-time project rather than continuous process creates drift over time. New resources get deployed without proper encryption. IAM policies accumulate excessive permissions. Logging configurations get modified without understanding the compliance implications.
Moving Forward
Building HIPAA-compliant infrastructure on AWS is achievable with proper planning and execution. Start with the BAA, implement encryption comprehensively, enforce least-privilege access with MFA, and establish audit logging from day one.
For organizations planning a healthcare cloud migration or looking to validate their current AWS compliance posture, Opti9 offers AWS-funded assessments that evaluate architecture against HIPAA requirements and AWS best practices.
