Skip to main content

Is AWS HIPAA Compliant? What the BAA Covers in 2026

By Joseph Abear ·
Is AWS HIPAA Compliant

Last updated: June 8, 2026

Is AWS HIPAA compliant? Not on its own. AWS is HIPAA eligible, which means Amazon will sign a Business Associate Addendum (BAA) and lets you build a compliant system on its infrastructure, but it does not make you HIPAA compliant by default. Under the AWS shared responsibility model, Amazon secures the underlying cloud while you remain responsible for how you configure everything you run on it. More than 160 AWS services are designated HIPAA eligible, and only those services may store, process, or transmit protected health information (PHI). Getting to compliance means signing the BAA, using only eligible services for PHI, and configuring encryption, access control, and logging yourself.

TL;DR: Quick answer

  • Is AWS HIPAA compliant? AWS is HIPAA eligible, not HIPAA compliant on its own. Amazon provides compliant building blocks; you are responsible for configuring them correctly.

  • Amazon will sign a Business Associate Addendum (BAA), its version of the Business Associate Agreement HIPAA requires under 45 CFR § 164.308(b), before you place any PHI on AWS.

  • More than 160 services are HIPAA eligible per the AWS HIPAA Eligible Services Reference (last updated May 22, 2026). PHI must stay inside those services; the list changes, so check it.

  • Under the shared responsibility model, AWS secures the cloud itself, and you secure what you put in it: encryption, IAM, audit logging, and a six-year log retention per 45 CFR § 164.316(b)(2)(i).

  • Using AWS does not transfer your HIPAA obligations. A managed HIPAA cloud host can configure and document these safeguards for you.

HIPAA eligible vs HIPAA compliant: the difference that matters

HIPAA eligible is not HIPAA compliant

The question "is AWS HIPAA compliant" usually comes from a misread of two terms. HIPAA eligible means Amazon has built a service so it can be used with PHI and has agreed to cover it under a BAA. HIPAA compliant describes a whole system, including your configuration, policies, and staff, that meets the HIPAA Security Rule. AWS supplies eligible parts. You assemble them into something compliant. No cloud provider can sell you compliance as a finished product, because compliance depends on choices only you control.

Yes, AWS will sign a BAA (called a Business Associate Addendum)

HIPAA requires a signed agreement before any vendor stores or processes PHI for you, under 45 CFR § 164.308(b). Amazon meets this with the AWS Business Associate Addendum (BAA), which you accept through AWS Artifact in your account. The BAA defines how responsibility is split and which services are in scope. Until it is in place, putting PHI on AWS is a HIPAA violation, even if every technical control is set up correctly. The BAA is the legal foundation, not the encryption.

The shared responsibility model: who secures what

The shared responsibility model

AWS describes security as a shared responsibility. Amazon is responsible for security "of" the cloud: the physical data centers, the hardware, and the core services. You are responsible for security "in" the cloud: your operating systems, your data, your access rules, and your network settings. For a wider view of how those safeguards map to the HIPAA Security Rule, see our complete guide to HIPAA compliant hosting. The short version: AWS hands you a secure foundation, and the parts that fail an audit are almost always the customer's settings, not Amazon's.

Only HIPAA eligible services can touch PHI

Only eligible services can hold PHI

More than 160 AWS services are HIPAA eligible, and Amazon lists each one in the AWS HIPAA Eligible Services Reference. Common building blocks are eligible, including Amazon EC2 for servers, Amazon S3 for storage, Amazon RDS and Aurora for databases, AWS Lambda for code, Amazon EBS for disks, AWS Key Management Service (KMS) for encryption keys, and AWS CloudTrail for logging. Services not on the list cannot legally hold PHI, even inside a HIPAA account. This trips up many teams, because a service can be popular and well secured and still be outside BAA scope. Check the reference before you route PHI anywhere, since the list changes as Amazon adds services.

What you must configure on the customer side

What you Configure: Encryption, IAM, Logging

This is where "is AWS HIPAA compliant" turns into real work. The BAA and eligible services give you the materials. These controls turn them into a compliant system.

Encryption in transit and at rest

Encrypt data moving between systems with TLS 1.2 or higher, and encrypt stored data with AWS KMS, which commonly uses AES-256. HIPAA treats encryption as addressable under 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii), which means you use it or document an equal protection. In practice, encrypt everything.

Access control with IAM

Use AWS Identity and Access Management to give each person and service the least access they need, under 45 CFR § 164.312(a). Require multi-factor authentication on every account, avoid shared logins, and remove access promptly when someone leaves.

Audit logging and six-year retention

Turn on AWS CloudTrail and VPC Flow Logs so you can show who accessed data and when, under 45 CFR § 164.312(b). Retain that documentation for at least six years under 45 CFR § 164.316(b)(2)(i). Logging that is on but never reviewed is a common audit gap.

Backups and a recovery plan

Keep encrypted, automatic backups in more than one region and test that you can restore them. A contingency plan is an administrative safeguard, not an optional extra.

Common mistakes teams make on AWS

Three patterns show up again and again. The first is placing PHI in a service that is not HIPAA eligible because it was convenient. The second is treating the BAA as the finish line, when it is the starting line for configuration work. The third is leaving logging unmonitored, so a problem is only discovered after a breach. Each of these passes a casual look and fails a real assessment. This is why "is AWS HIPAA compliant" is the wrong question to stop on; the real question is whether your own setup is.

If you would rather not build it yourself

Configuring HIPAA on AWS takes real expertise, and the gap between "eligible" and "compliant" is where most of the cost and risk lives. If your team would rather ship product than harden cloud servers, our managed HIPAA cloud hosting provisions servers that arrive pre-hardened to the Security Rule, with encryption, a web application firewall, intrusion detection, encrypted backups, six-year audit logging, and a signed BAA included. HIPAA Compliant Hosting sells managed hosting, so we have a commercial interest here. We also think a team that understands the shared responsibility model makes safer choices, whoever runs its infrastructure.

Frequently asked questions

Is AWS HIPAA compliant?

AWS is HIPAA eligible, not HIPAA compliant on its own. Amazon signs a BAA and offers more than 160 HIPAA eligible services, but you are responsible for configuring encryption, access control, and logging so your full system meets the HIPAA Security Rule.

Does AWS sign a BAA?

Yes. Amazon offers the AWS Business Associate Addendum (BAA), which you accept in AWS Artifact. You must have it in place before storing or processing PHI on AWS.

Are Amazon S3 and RDS HIPAA eligible?

Yes. Amazon S3, Amazon RDS, and Amazon Aurora are on the AWS HIPAA Eligible Services Reference. You still must enable encryption, restrict access, and turn on logging for each one.

Does using AWS automatically make my app HIPAA compliant?

No. Eligible services and a signed BAA are necessary, not sufficient. Your configuration, policies, and a documented risk analysis determine whether your system is compliant.

Is AWS HIPAA certified?

There is no official HIPAA certification from HHS, so no provider is "HIPAA certified." AWS demonstrates its controls through independent audits such as SOC 2 and ISO 27001, but HIPAA itself has no government certification.

Recap: is AWS HIPAA compliant?

To recap, is AWS HIPAA compliant? AWS is HIPAA eligible, which is the foundation, not the finish. Sign the Business Associate Addendum, keep PHI inside the more than 160 HIPAA eligible services, and configure encryption, IAM access control, audit logging with six-year retention, and tested backups. Do that and you have a compliant system built on AWS. Skip any of it and you have eligible infrastructure that still falls short.

This article is general information, not legal advice. Regulatory details reflect the current HIPAA Security Rule (45 CFR Part 164) and the AWS HIPAA Eligible Services Reference as of June 2026; the eligible-services list changes, and the December 2024 Security Rule NPRM is not yet final. Confirm your specific obligations with qualified legal counsel.

← Back to all posts