Quick Answer: If you're building or hosting healthcare applications on Amazon Web Services, you must meet both HIPAA's technical safeguards and AWS's shared responsibility model. That means configuring AWS services to protect ePHI, signing a Business Associate Agreement with AWS, and implementing controls across encryption, access management, audit logging, and breach response.
Running HIPAA-compliant workloads on AWS requires satisfying requirements across all four HIPAA rules while properly configuring the AWS services that touch protected health information. AWS provides the infrastructure, but the compliance responsibility sits with you. This page covers what those AWS HIPAA compliance requirements actually look like, where organizations get stuck, and what it realistically takes to meet them.
HIPAA does not certify cloud providers or issue a formal "HIPAA compliant" designation for AWS. Instead, AWS signs a Business Associate Agreement (BAA) with covered entities and business associates, and you are responsible for configuring AWS services in a way that satisfies HIPAA's four core rules.
Here is how those rules map to your AWS environment:
|
HIPAA Rule |
What It Requires on AWS |
|
Privacy Rule |
Controls on who can access ePHI stored in AWS services; data minimization and use limitation policies |
|
Security Rule |
Technical safeguards including encryption at rest and in transit, access controls, audit logging, and automatic logoff |
|
Breach Notification Rule |
Monitoring and alerting to detect unauthorized access to ePHI; documented incident response procedures |
|
Omnibus Rule |
BAA coverage extended to all AWS subcontractors handling ePHI on your behalf |
AWS publishes a list of HIPAA-eligible services, which includes Amazon S3, Amazon RDS, Amazon EC2, AWS Lambda, Amazon CloudWatch, AWS CloudTrail, and others. Using a HIPAA-eligible service does not automatically make your workload compliant. You must configure each service correctly.
For AWS RDS HIPAA compliance requirements specifically, that means enabling encryption at rest using AWS Key Management Service (KMS), enforcing SSL/TLS for data in transit, restricting database access through IAM roles and security groups, enabling automated backups, and logging database activity through AWS CloudTrail and RDS Enhanced Monitoring.
For healthcare apps on AWS, HIPAA compliance requirements extend to application-layer controls: authentication and authorization, session management, input validation, and secure API design. The application must also integrate with your broader incident response and audit logging infrastructure.
AWS provides documentation and compliance guides, but translating those into a working, auditable configuration is where most organizations need support.
Most organizations underestimate what HIPAA compliance on AWS actually involves until they are already behind. The shared responsibility model sounds straightforward on paper, but the execution is where things get complicated.
Meeting AWS HIPAA compliance requirements is not a one-time configuration exercise. It requires ongoing work across documentation, technical controls, monitoring, and staff practices. Here is what that looks like in practice.
HIPAA requires written policies covering how your organization handles ePHI, including data classification, access control, incident response, and workforce training. On AWS, those policies need to reflect your actual cloud architecture. Generic templates do not satisfy auditors. You need documentation that maps your AWS services to specific HIPAA controls and explains how each safeguard is implemented.
Your AWS environment needs encryption enabled across all services that touch ePHI, including S3, RDS, EBS volumes, and data in transit. Access must be controlled through least-privilege IAM policies, multi-factor authentication, and role-based access. AWS CloudTrail must be enabled in all regions to log API activity, and those logs need to be stored securely and reviewed regularly.
HIPAA's Security Rule requires continuous monitoring of information system activity. On AWS, that means configuring CloudWatch alarms, enabling AWS GuardDuty for threat detection, and reviewing audit logs on a defined schedule. You also need a process for reviewing and updating configurations when you add new services or change your architecture.
Every member of your workforce who accesses ePHI or manages your AWS environment needs HIPAA training. That includes developers, DevOps engineers, and system administrators. Training needs to be documented, tracked, and repeated on a regular cycle. Tools like KnowBe4 can automate delivery and tracking, but someone still needs to manage the program.
If you are a business associate subject to a HIPAA audit or a covered entity undergoing an HHS review, you will need to produce evidence that your AWS environment meets each required safeguard. That means organized logs, policy documents, training records, BAA copies, and risk assessment documentation. Having a system in place before an audit request arrives saves significant time.
There is no single right way to approach HIPAA compliance on AWS. The right model depends on your internal capabilities, budget, and how quickly you need to get compliant. Here is an objective look at the three main approaches.
|
DIY / In-House |
GRC Platform Only (Drata, Vanta) |
Managed Compliance Partner |
|
|
Implementation |
Your team builds it |
Platform guides you, you do the work |
Partner builds it for you |
|
Ongoing maintenance |
Your team |
Your team + automation |
Partner's team + automation |
|
Auditor coordination |
You manage it |
Limited support |
Managed end-to-end |
|
Tech stack |
You select and configure |
Integrations only |
Full security stack deployed |
|
Dedicated team |
Your hires ($84K-$132K+ per person) |
None |
Multi-role team assigned to your account |
|
Typical timeline |
12-18+ months |
6-12 months |
~8 months initial implementation |
|
Starting cost |
$84K-$132K+/year (one hire) |
$10K-$30K/year (platform only) |
~$4,800/month (full service) |
The DIY path gives you the most control but requires significant internal expertise and time. A GRC platform like Drata or Vanta can automate evidence collection and policy tracking, but you still need someone who understands HIPAA and AWS well enough to configure everything correctly. A managed compliance partner handles the technical implementation, policy development, and ongoing monitoring, which is useful if you do not have dedicated compliance staff.
Getting your AWS environment to a defensible, auditable HIPAA compliance state follows a predictable sequence. Here is what that process looks like.
Step 1: Book a GAP Assessment. A GAP assessment evaluates your current AWS configuration and organizational practices against HIPAA requirements. It identifies which controls are in place, which are missing, and where your highest-risk gaps are.
Step 2: Get Your Implementation Roadmap. Based on the GAP assessment, you receive a prioritized plan covering technical controls, policy development, tooling, and timelines. This gives you a clear picture of what needs to happen and in what order.
Step 3: Deploy Controls. This is where the work happens: configuring AWS services, enabling encryption and logging, deploying GRC automation, writing and approving policies, and standing up monitoring. BEMO's typical implementation runs about eight months.
Step 4: Achieve and Maintain Compliance. Once controls are in place, ongoing compliance requires continuous monitoring, regular risk assessments, workforce training, and vendor management. Compliance is not a finish line; it is an operating state.
The challenges covered in this guide are exactly where most organizations get stuck. Misconfigured AWS services, missing BAAs, incomplete documentation, and no one with time to manage it all. BEMO addresses those gaps directly.
Here is what you get when you work with BEMO:
BEMO assigns a dedicated multi-role team to your account, owns the outcome, and gets you to compliance in approximately eight months. You do not have to figure out AWS HIPAA configuration on your own.
Book a meeting with BEMO to start with a GAP assessment and get a clear picture of where you stand.
Healthcare apps running on AWS must implement HIPAA's technical safeguards at the application layer, including user authentication, role-based access to ePHI, session timeouts, encrypted data storage and transmission, and audit logging of all access to patient data. You also need to sign a BAA with AWS and ensure any third-party services connected to your app have their own BAAs in place. AWS-eligible services like Amazon Cognito, API Gateway, and Lambda can support these requirements when configured correctly.
For AWS RDS HIPAA compliance requirements, you need to enable encryption at rest using AWS KMS for all RDS instances that store ePHI. Data in transit must be encrypted using SSL/TLS. Access to the database should be restricted through IAM roles, security groups, and least-privilege principles. You also need to enable automated backups, enable Enhanced Monitoring, and log database activity through AWS CloudTrail. Multi-AZ deployment is recommended for availability, and you should document your RDS configuration as part of your broader HIPAA risk management documentation.
The timeline depends on your starting point and the complexity of your AWS environment. Organizations working with a managed compliance partner typically complete initial implementation in around eight months. Doing it in-house without dedicated compliance staff often takes 12 to 18 months or longer. A GAP assessment at the start of the process gives you a realistic timeline based on your specific gaps.
A HIPAA GAP assessment for an AWS environment reviews your current service configurations, IAM policies, encryption settings, logging and monitoring setup, existing documentation, workforce training records, and BAA coverage. The output is a prioritized list of gaps mapped to specific HIPAA requirements, along with a recommended remediation plan. This assessment is the starting point for any structured HIPAA compliance program.
HIPAA compliance on AWS requires expertise across cloud security configuration, regulatory requirements, policy development, and audit preparation. Most organizations do not have all of those capabilities in-house. A managed compliance partner brings a dedicated team that covers all of those areas, handles ongoing monitoring, and coordinates with auditors on your behalf. You can read more about HIPAA compliance for cloud service providers to understand the full scope of what that involves.
BEMO assigns a dedicated team to every client account, including a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. That team manages your implementation, handles ongoing compliance monitoring, and coordinates with auditors. Bi-weekly status meetings keep you informed throughout the process, and BEMO maintains a 72-hour SLA for remediation tasks.
Yes. AWS offers a BAA that covers its HIPAA-eligible services. You need to sign this agreement before using any AWS service to store or process ePHI. The BAA covers AWS's responsibilities under the shared responsibility model, but it does not extend to how you configure those services. Your configuration decisions, access controls, and data handling practices remain your responsibility under HIPAA. You can learn more about the broader HIPAA compliance requirements for businesses to see how the BAA fits into your overall compliance program.