The Agentic Help Desk for DevOps is Here - Read More ×
Find us on social media
Headquarters
2150 N 1st St
San Jose, CA 95131
+1 (866) 830-6588
BOOK A DEMO
Back

AWS HIPAA Compliance: What You Need to Know to Stay Secure and Compliant

AWS HIPAA Compliance: What You Need to Know to Stay Secure and Compliant
Author: Joel Lim | Saturday, June 28 2025
Share
Content

When it comes to healthcare applications in the cloud, security and compliance aren’t optional. They’re legal and professional imperatives. The Health Insurance Portability and Accountability Act (HIPAA) has established strict rules on how protected health information (PHI) must be: 

  • Stored
  • Accessed 
  • Transmitted 

If you’re using Amazon Web Services (AWS) to host your healthcare app or platform, it’s critical you understand how HIPAA applies to your organization and its actions. 

The problem is that many companies think AWS makes them HIPAA compliant out of the box. 

It doesn’t. 

Instead, your team has to: 

  • Properly configure AWS services
  • Ensure your data stays within the HIPAA scope
  • Maintain ongoing security 

So many companies still struggle with this process and don't have proper HIPAA training. From misconfigurations of the HIPAA security rule to manual oversight, you may end up at risk both legally and operationally. 

Not good. 

For that reason, we’ve crafted this guide to help you understand AWS HIPAA compliance. It will give you all the information you need to stay secure and compliant. 

Key Takeaways

  • HIPAA requires healthcare organizations and their partners to protect PHI using safeguards that are administrative, technical, and physical.
  • AWS operates under a Shared Responsibility Model, with HIPAA-compliant architectures that you must configure and maintain. 
  • Automation platforms like DuploCloud can help establish and enforce HIPAA requirements as a default feature, which will reduce your risk and speed up deployment. 

What Is HIPAA and Why It Matters in the Cloud

HIPAA is the Healthcare Insurance Portability and Accountability Act of 1996. It sets the standards in the United States for protecting sensitive patient data. 

Any application related to healthcare must comply with HIPAA. This is especially true for those dealing with electronic protected health information (ePHI). 

Key HIPAA Terms

PHI (Protected Health Information): This term refers to any data that can be linked to a specific person related to:

  • Individual health
  • Healthcare
  • Payment for healthcare

Covered Entities: These are organizations that are directly involved in healthcare. This can include: 

  • Providers
  • Insurers
  • Clearinghouses 

Business Associates: These are third parties that handle PHI for a covered entity. A cloud provider like AWS falls under this term when they process PHI. 

HIPAA mandates strict security standards when PHI is stored or processed in the cloud. That’s why it’s critical to know how public cloud infrastructure aligns, or doesn’t, with these standards. 

Is AWS HIPAA Compliant? 

The short answer is yes… with caveats. 

AWS can be HIPAA compliant. But not all of its services are HIPAA-eligible. Instead, compliance depends largely on how the services are configured… by you.

The Business Associate Agreement (BAA)

To process PHI on AWS, users have to sign a Business Associate Agreement (BAA) with Amazon. This legal agreement spells out AWS’s responsibilities for safeguarding PHI under HIPAA. 

Still, a BAA only covers specific AWS services. It does not guarantee that your entire cloud environment is securely configured.

Basically, AWS gives you the tools. You’re still on the hook to use them the right way. 

That’s where DuploCloud comes in. DuploCloud will make sure your AWS configurations meet HIPAA requirements by: 

  • Enforcing encryption both at rest and in transit  
  • Enabling secure networking as a default mechanism
  • Automatically applying access control policies across your systems

With DuploCloud, healthcare teams can focus on building apps instead of struggling with security policies. 

AWS HIPAA Eligible Services (BAA-Covered)

AWS does list the specific services they offer that are “HIPAA-eligible under the BAA. 

These include: 

  • Amazon EC2 (Elastic Compute Cloud)
  • Amazon S3 (Simple Storage Service)
  • Amazon RDS (Relational Database Service)
  • AWS Lambda
  • Amazon DynamoDB
  • Amazon VPC (Virtual Private Cloud)
  • AWS CloudTrail
  • Amazon EBS
  • AWS Secrets Manager

You can read the full list on the AWS HIPAA page

Pro Tip: Keep your architecture lean and use only HIPAA-eligible services. Also, be sure that all of your data flows and inter-service communication stay within the BAA scope

And make sure you review AWS’s HIPAA Reference Architecture for guidance on which design patterns are compliant. 

Shared Responsibility Model for HIPAA on AWS

Again, AWS operates under a Shared Responsibility Model.

Here’s what AWS takes responsibility for

  • Physical security 
  • Global infrastructure 
  • Underlying hardware

Here’s what that leaves you responsible for

  • Properly configuring services 
  • Securing your data
  • Managing all your access policies 
  • Encryption and logging

Common Customer Responsibilities 

So yes, AWS secures the underlying infrastructure, but HIPAA compliance depends on your ability to configure and manage your environment. You’ll be charged with everything from identity management to network controls. 

Your team is responsible for implementing the technical safeguard that will protect your PHI. 

Here are the most important areas where customers must take ownership: 

  • IAM policies: Use least privilege, enable MFA, rotate credentials
  • Storage: Lock down S3 buckets, enable server-side encryption
  • Network: Use VPCs, subnets, security groups, and NACLs correctly
  • Audit Logging: Enable CloudTrail, CloudWatch Logs, and AWS Config

DuploCloud simplifies each of these areas through automation. We enforce security configurations (like IAM roles, encryption, VPC settings) through prebuilt HIPAA-compliant templates. This helps ensure customers meet their side of the shared responsibility model with minimal overhead.

And your team won’t be building compliance from scratch. 

Best Practices for HIPAA Compliance on AWS

Of course, achieving HIPAA compliance on AWS isn’t just about choosing the right services. 

It’s about configuring them correctly and keeping your security practices strong over time. Here, we’ve included some best practices to follow to help you establish a secure, HIPAA-compliant AWS environment. They help protect PHI, limit access, and detect any issues that do arise early. That way, your infrastructure can recover if a failure does occur. 

Encryption at rest and in transit

Use AWS KMS (Key Management Service) or your own encryption keys to make sure your PHI is encrypted wherever it lives and whenever it moves. 

Identity and Access Management (IAM) best practices

Always follow the principle of least privilege and group your users by role. Limit their permissions and then rotate secrets regularly. 

Network isolation and segmentation

Isolate environments with VPCs and private subnets. Also, be sure to configure security groups and route tables to control all traffic. 

Audit logging and monitoring

When you enable CloudTrail, CloudWatch Logs, and AWS Config, you can track changes and respond to any anomalies that arise. 

Least privilege principle enforcement

Avoid any use of root accounts or wide-permission roles in production environments. 

Backup and disaster recovery plans

Maintain regular backups and recovery procedures for your key infrastructure and data. 

Tool Integration Tip: 

Make sure you include all of the following in your compliance tool belt: 

  • AWS CloudTrail: To capture all API activity
  • CloudWatch Logs: To monitor system metrics and logs
  • AWS Config: To assess configuration compliance
  • AWS Shield: To protect from DDoS attacks

AWS HIPAA Compliance Challenges 

Still, you can have the best intentions and run into problems. Everyone does. Here’s what to watch for: 

  1. Manual Misconfigurations: Just one poorly configured S3 bucket can expose millions of records. 
  2. Lack of Visibility: Yes, it’s tough to track who accessed what, when, and why. This is especially challenging in large teams. 
  3. Audit Complexity: Having to prove compliance to an auditor means having to dig through endless logs and assemble evidence. And you often have to do it all manually. 
  4. Scaling Secure Infrastructure: As you scale, so do your risks. Security control becomes inconsistent and unstable.

DuploCloud can mitigate all these risks through automated configuration. We also provide policy enforcement and continuous monitoring. This works across your environments and across your teams. 

Automating HIPAA Compliance on AWS

Fortunately, automation can play a critical role in helping you maintain HIPAA compliance on AWS. That’s because it enforces AWS security hub and compliance policies as a default mechanism. So you don’t have to think about it. And you don’t have to rely on retroactive fixes for the compliance program or healthcare organization. 

This proactive approach cuts way down on your risk of configuration gaps. It also makes sure your best practices are applied consistently and across environments. 

When you streamline DevOps workflows with automation, you minimize friction between development and compliance requirements. This allows your team to ship faster without compromising security or sensitive information. 

It also significantly reduces human error. That’s because it eliminates manual steps, checklists, and ad hoc configurations, those pesky errors that lead to vulnerabilities. 

For example: 

Imagine you’re deploying a new healthcare SaaS platform. 

With DuploCloud: 

  • Networking is pre-secured
  • AWS IAM roles are already defined with least privilege
  • Secrets are encrypted and managed
  • Monitoring tools are pre-integrated

Guess what that means: your team gets to skip the compliance scaffolding and get right to the building. That’s a big win. 

How DuploCloud Supports AWS HIPAA Compliance 

We designed DuploCloud to reduce the operational burden of HIPAA compliance. Here’s how: 

  • You get prebuilt infrastructure blueprints that launch secure, compliant environments in minutes. 
  • You’ll get guardrails that are built in automatically, so encryption is enforced and IAM policies are restricted. Plus, you’ll have secure networking. 
  • You’ll count on automated provisioning, with Infrastructure-as-Code and HIPAA-compliant defaults. 
  • You’ll rely on continuous monitoring that detects and alerts on drift or non-compliant configurations. 

You can explore more of DuploCloud’s HIPAA features here.

Now, once you’ve learned everything there is to know about HIPAA compliance on AWS, you’ll get regular audits asking to prove your compliance. They’re a necessary part of HIPAA compliance. 

With DuploCloud, you won’t have to scramble during audits. Your compliance evidence is already built into your workflows.  

Book a demo today. 

FAQs on AWS HIPAA Compliance

Does AWS offer HIPAA compliance out of the box?

No. AWS provides the infrastructure and services you’ll need to be HIPAA-compliant. But it’s up to your team to configure and use those tools correctly. You also have to sign a BAA. 

What happens if I use a non-covered AWS service?

If you store or process PHI with a non-covered service, you will violate HIPAA and your BAA. Always use a HIPAA-eligible service when dealing with PHI.

Do I need a compliance team to meet HIPAA on AWS?

Not necessarily. But you will need a strong process or quality automation in its place. Platforms like DuploCloud can replace or augment even the highest-quality compliance team. 

Can DuploCloud help with HIPAA audit preparation?

Yes! DuploCloud offers built-in tools like capture logs, policy enforcement, and report generators to make it easier for you to prepare for internal or third-party audits.

Author: Joel Lim | Saturday, June 28 2025
Share
AWS Cloud Compliance: How to Build Secure, Auditable Workloads in the Cloud
AWS Cloud Compliance: How to Build Secure, Auditable Workloads in the Cloud
In this article, we’ll take a deep dive into AWS cloud compliance. You’ll get a close look at the shared responsibility model, common challenges faced by developers, and best solutions for making AWS cloud compliance seamless.
Learn More
Boost AWS Compliance Efficiency with DuploCloud
Boost AWS Compliance Efficiency with DuploCloud
Compliance can be a make-or-break factor for startups' ability even to achieve funding if they fail to pass a basic standard like SOC 2.
Learn More
Cloud Application Platforms: The Top 4 to Watch for
Cloud Application Platforms: The Top 4 to Watch for
The right cloud application platform for your company should offer scalability, security, software integrations, and a transparent pricing structure.
Learn More
Celebrating Innovation: Meet the Spark100 Honorees for Q2 2025 - Northeast
Celebrating Innovation: Meet the Spark100 Honorees for Q2 2025 - Northeast
Discover the Northeast honorees of the Spark100 Q2 2025—25 early-stage startups driving serious momentum post-seed. From AI and fintech to healthtech and education, these bold builders are redefining what’s next.
Learn More
Celebrating Innovation: Meet the Spark100 Honorees for Q2 2025 - West
Celebrating Innovation: Meet the Spark100 Honorees for Q2 2025 - West
Meet the first Spark100 honorees of Q2 2025. This West Coast cohort features 25 early-stage startups leading the charge in AI, healthtech, infrastructure, and more.
Learn More
Selecting the Right Tools for AI Cloud Management in AWS, Azure, and GCP
Selecting the Right Tools for AI Cloud Management in AWS, Azure, and GCP
This article explores how to select the right AI cloud management tools across the big three cloud providers. We’ll also look at how a platform like DuploCloud can streamline and enhance this process. 
Learn More