Is Amazon Web Services HIPAA Compliant?
Amazon Web Services is HIPAA compliant for “HIPAA eligible services” covered by AWS’ general Business Associate Addendum or by a service-specific Business Associate Agreement (i.e., Alexa Health Skills). However, Amazon Web Service is not HIPAA compliant “off the shelf”. In order to use AWS’ HIPAA eligible services in compliance with HIPAA, it is necessary to architect the services to support HIPAA compliance.
Amazon Web Services is the largest provider of cloud services in the world. AWS’ HIPAA eligible services can be used as individual healthcare solutions or combined to create secure, cloud-based healthcare platforms and scalable healthcare infrastructures that unite (for example) clinical systems, medical research, patient experience, and claims management.
To support organizations on their cloud journeys, Amazon Web Services offers a range of Partnership services that can advise, design, procure, build, adopt, and manage services on a customer’s behalf. Partners can also supply bespoke security products that enable healthcare organizations to securely integrate legacy systems with AWS cloud services.
However, due to the condition in the AWS Business Associate Addendum that all Protected Health Information is encrypted in transit and at rest, it can be more difficult to make Amazon Web Services HIPAA compliant than some other cloud solutions – notwithstanding that making Amazon Web Services HIPAA compliant also requires a certain level of technical skill.
Understanding AWS and HIPAA Compliance
The first thing to understand about Amazon Web Services is that there are more than 130 HIPAA eligible services. Some fall into the category of Infrastructure-as-a-Service (IaaS), while others fall into the categories of Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS). AWS’ “shared responsibility model” – indicating the responsibility for security of each party – varies according to the type(s) of service(s) subscribed to.
Responsibility for the confidentiality, integrity, and availability of Protected Health Information can also vary depending on whether an organization operates in a hybrid or multi-cloud environment (i.e., AWS and on-premises, or AWS and other service providers). In such circumstances, the organization may assume more responsibility for complying with the Administrative, Physical, and/or Technical Safeguards of the Security Rule.
It is important for covered entities and business associates to be aware of what responsibilities they have for HIPAA compliance before subscribing to an AWS HIPAA eligible service. The failure to understand how AWS’ shared responsibility model works and what steps are required to make Amazon Web Services HIPAA compliant could result in impermissible disclosures of Protected Health Information and avoidable data breaches.
Making Amazon Web Services HIPAA Compliant
Because there are more than 130 HIPAA eligible services, Amazon Web Services has published a whitepaper for architecting the eligible services to be HIPAA compliant. This is not a service-by-service guide to making Amazon Web Services HIPAA compliant, but a guide to what other services it may be necessary to configure when subscribing to one particular service.
For example, an organization subscribing to AWS Healthlake will not only have to apply access controls to the Healthlake service, but will also need to encrypt PHI in transit between Healthlake and Amazon S3 (or an on-premises storage volume). It is also necessary to configure AWS Cloudtrail, AWS Back Up, and AWS Elastic Disaster Recovery to comply with HIPAA if these services are used to monitor user access and support contingency plans.
To configure each service independently to support HIPAA compliance, it is necessary to refer to AWS’ online Documentation Service. This area of the AWS website provides step-by-step configuration guidance for each AWS service and security best practices for many HIPAA eligible services. Covered entities and business associates are advised to study the guidance and assess the risk of implementing a particular service before subscribing to it.
Other HIPAA Considerations when Using AWS
One of the most important HIPAA considerations when using AWS is the Business Associate Addendum. Amazon Web Services does not publicly disclose the terms of its Business Associate Addendum (it is available for customers under an NDA in the Artifacts section of the Management Console), but it is well known that one of the terms of the Addendum is the encryption of all Protected Health Information at rest and in transit.
Not only is it important to agree to the terms before any service is used to create, receive, store, or transmit Protected Health Information, but it is also important to review the terms of the Addendum in the context of AWS’ other legal documents. Combined, these documents prohibit the use of any non-eligible service with Protected Health Information, so it is important to monitor AWS invoices for what services are used by whom.
It is very easy to subscribe to any AWS service, and the risk exists workforce members may subscribe to an unsanctioned service. As Amazon Web Services could potentially terminate a healthcare organization’s account for using unsanctioned services to create, receive, store, or transmit Protected Health Information, it is important all members of the workforce receive HIPAA training on using Amazon Web Services in compliance with HIPAA.

