Building healthcare applications isn't just about writing good code—it's about protecting some of the most sensitive data in existence. After implementing HIPAA-compliant systems for multiple healthcare providers, including our MedCore dental platform, we've learned what it takes to build secure, compliant healthcare applications on AWS.
This guide will walk you through the technical and administrative requirements for HIPAA compliance on AWS, with practical examples and implementation strategies.
Understanding HIPAA Requirements
HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
Important: HIPAA compliance is not just a technical challenge—it's a comprehensive program that includes administrative, physical, and technical safeguards. This guide focuses on the technical aspects, but you must also address administrative and physical requirements.
Key HIPAA Rules
- Privacy Rule: Standards for the use and disclosure of PHI
- Security Rule: Standards for protecting electronic PHI (ePHI)
- Breach Notification Rule: Requirements for notifying patients and authorities of breaches
- Enforcement Rule: Penalties for HIPAA violations
AWS Business Associate Agreement (BAA)
Before you can store or process PHI on AWS, you must have a Business Associate Agreement (BAA) in place. AWS offers a standard BAA that covers their HIPAA-eligible services.
Getting Your BAA: AWS customers can request a BAA through the AWS Artifact console. It's a self-service process that takes just a few minutes.
HIPAA-Eligible AWS Services
Not all AWS services are covered under the BAA. Here are the key HIPAA-eligible services we use:
| Category | Services |
|---|---|
| Compute | EC2, Lambda, Elastic Beanstalk, ECS, EKS, Fargate |
| Storage | S3, EBS, EFS, FSx, Backup |
| Database | RDS, DynamoDB, DocumentDB, Neptune, ElastiCache |
| Networking | VPC, Direct Connect, ELB, API Gateway, CloudFront |
| Analytics | Kinesis, Athena, QuickSight, OpenSearch |
| Security | CloudTrail, CloudWatch, GuardDuty, Security Hub, KMS |
Is a Specific AWS Service HIPAA-Eligible?
These are the services healthcare teams ask about most. Each of the following is HIPAA-eligible and covered under the AWS Business Associate Agreement when you configure it according to AWS guidance:
| AWS Service | HIPAA-eligible under the BAA? | What you still have to do |
|---|---|---|
| Amazon EC2 | Yes | Encrypt EBS volumes; restrict access with security groups |
| AWS Lambda | Yes | Keep PHI out of plaintext logs; run in a VPC near PHI data stores |
| Amazon ECS / Fargate | Yes | Use encrypted task storage and private subnets |
| Amazon EKS | Yes | Private node groups, KMS-encrypted secrets, network policies |
| AWS Elastic Beanstalk | Yes | Encrypt the underlying EC2/EBS/RDS it provisions; force HTTPS |
| Amazon RDS | Yes | Encryption at rest (KMS) + TLS in transit; Multi-AZ backups |
| Amazon Aurora | Yes | Part of RDS — encrypt the cluster at creation; require TLS |
| Amazon DynamoDB | Yes | Encrypted at rest by default; use VPC endpoints + fine-grained IAM |
| Amazon DocumentDB | Yes | Encrypt clusters and enforce TLS |
| Amazon S3 | Yes | Default SSE-KMS encryption; block public access |
| Amazon EFS / FSx / EBS | Yes | Enable encryption at rest |
| Amazon API Gateway | Yes | Enforce TLS 1.2+; deny non-HTTPS requests |
| Amazon CloudFront | Yes | HTTPS-only viewer protocol policy; pair with AWS WAF |
| Amazon ElastiCache (Redis) | Yes | Enable encryption in transit and at rest |
Eligibility changes — always verify: AWS updates its HIPAA-eligible services list regularly. Confirm a service is on the current "AWS HIPAA Eligible Services Reference" before placing PHI on it, and make sure your BAA is active in AWS Artifact. Eligibility is necessary but not sufficient — a service being eligible does not make your deployment compliant. You are still responsible for encryption, access control, and audit logging.
Frequently Asked: HIPAA Eligibility by Service
Is Amazon RDS HIPAA-compliant / HIPAA-eligible? Yes. Amazon RDS — including the Aurora, PostgreSQL, MySQL, SQL Server, MariaDB, and Oracle engines — is HIPAA-eligible under the AWS BAA. Enable encryption at rest with KMS, enforce TLS for connections, and turn on automated backups and Multi-AZ for resilience.
Is Amazon Aurora HIPAA-eligible? Yes. Aurora runs under Amazon RDS, so it's covered by the same BAA. Encrypt the cluster at creation time — you can't enable encryption on an existing unencrypted cluster, so restore from an encrypted snapshot if needed — and require TLS for all connections.
Is AWS Lambda a HIPAA-eligible service? Yes. Lambda is covered under the BAA. Keep PHI out of plaintext CloudWatch logs, encrypt environment variables with KMS, and run functions inside a VPC when they access PHI data stores.
Is Amazon EKS HIPAA-eligible and covered by the BAA? Yes. EKS is HIPAA-eligible. Use private node groups, encrypt Kubernetes secrets with KMS, restrict the cluster API endpoint, and segment PHI workloads with network policies and namespaces.
Is AWS Elastic Beanstalk HIPAA-eligible? Yes. Beanstalk itself is eligible, but your compliance depends on the resources it provisions — make sure the underlying EC2 instances, EBS volumes, and RDS databases are encrypted and that load balancers enforce HTTPS.
Is Amazon DynamoDB HIPAA-eligible under a BAA? Yes. DynamoDB is eligible and encrypts data at rest by default. Use VPC endpoints to keep traffic off the public internet and apply fine-grained IAM access controls for PHI tables.
Technical Safeguards Implementation
The HIPAA Security Rule requires specific technical safeguards. Here's how we implement them on AWS:
1. Access Control
Implement strict access controls to ensure only authorized users can access PHI:
// IAM Policy for PHI Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::phi-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["10.0.0.0/8"]
},
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}2. Encryption at Rest
All PHI must be encrypted at rest using industry-standard encryption:
# S3 Bucket Encryption Configuration
aws s3api put-bucket-encryption \
--bucket phi-data-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789:key/abc-123"
}
}]
}'3. Encryption in Transit
Enforce TLS/SSL for all data transmission:
// Enforce HTTPS on API Gateway
const api = new RestApi(this, 'HealthcareAPI', {
policy: new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.DENY,
principals: [new AnyPrincipal()],
actions: ['execute-api:Invoke'],
resources: ['*'],
conditions: {
Bool: {
'aws:SecureTransport': 'false'
}
}
})
]
})
});4. Audit Controls
Implement comprehensive logging and monitoring:
CloudTrail Configuration:
- Enable CloudTrail for all regions
- Log all API calls to S3
- Enable log file validation
- Encrypt CloudTrail logs with KMS
- Set up CloudWatch alerts for suspicious activity
5. Data Integrity
Ensure PHI cannot be improperly altered or destroyed:
- Enable S3 versioning for all PHI storage
- Implement MFA delete for critical data
- Use S3 Object Lock for immutable storage
- Regular automated backups with point-in-time recovery
Architecture Pattern: Secure Healthcare API
Here's a reference architecture we use for HIPAA-compliant APIs. Learn more about serverless best practices to implement this architecture effectively:
CloudFront (with WAF)
↓
API Gateway (Private REST API)
↓
Lambda Functions (in VPC)
↓
RDS (Encrypted, Multi-AZ)
↓
Backup & Audit Logs (S3)Security Best Practices
1. Network Isolation
Use VPCs to isolate your healthcare workloads:
- Private subnets for databases and application servers
- Public subnets only for load balancers
- NAT gateways for outbound internet access
- VPC endpoints for AWS service access
- Security groups with least privilege access
2. Key Management
Proper key management is critical for HIPAA compliance:
// KMS Key Policy for PHI Encryption
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "kms:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"rds.us-east-1.amazonaws.com",
"s3.us-east-1.amazonaws.com"
]
}
}
}]
}3. Incident Response
Prepare for potential security incidents:
Incident Response Checklist:
- Automated alerting for suspicious activities
- Documented incident response procedures
- Regular incident response drills
- Breach notification procedures
- Forensic analysis capabilities
Monitoring and Compliance
Continuous monitoring is essential for maintaining HIPAA compliance:
AWS Security Hub
Security Hub provides a comprehensive view of your security posture:
- Automated compliance checks against HIPAA standards
- Centralized security findings from multiple AWS services
- Integration with third-party security tools
- Automated remediation workflows
Custom CloudWatch Dashboards
Create dashboards to monitor PHI access patterns:
# CloudWatch Metric Filter for PHI Access
aws logs put-metric-filter \
--log-group-name /aws/lambda/healthcare-api \
--filter-name PHIAccess \
--filter-pattern '[time, request_id, event_type=PHI_ACCESS, ...]' \
--metric-transformations \
metricName=PHIAccessCount,\
metricNamespace=HIPAA/Compliance,\
metricValue=1Common Pitfalls to Avoid
Critical Mistakes:
- Using non-HIPAA-eligible services for PHI processing
- Storing PHI in CloudWatch Logs without encryption
- Forgetting to encrypt database snapshots
- Not implementing proper backup and recovery procedures
- Inadequate access logging and monitoring
Cost Considerations
HIPAA compliance does add some costs, but they're manageable:
- Encryption: KMS costs ~$1/month per key + usage
- Logging: CloudTrail and S3 storage ~$50-200/month
- Monitoring: CloudWatch and Security Hub ~$100-500/month
- Backups: Automated backups ~$100-1000/month depending on data size
Total additional cost for HIPAA compliance: typically 15-25% over non-compliant infrastructure.
Real-World Implementation: MedCore Platform
In our MedCore dental platform, we implemented these HIPAA safeguards:
MedCore HIPAA Implementation:
- All patient data encrypted with AES-256
- Audit logs for every data access
- Role-based access control with MFA
- Automated backups every 6 hours
- 99.99% uptime with multi-region failover
- HIPAA compliance validated by third-party auditor
Compliance Checklist
HIPAA Technical Safeguards Checklist:
- Business Associate Agreement with AWS
- Access control with unique user identification
- Automatic logoff after inactivity
- Encryption at rest for all PHI
- Encryption in transit (TLS 1.2+)
- Audit logs for all PHI access
- Integrity controls for PHI
- Secure data transmission
- Regular risk assessments
- Incident response plan
- Business continuity plan
- Regular security training
Conclusion
Building HIPAA-compliant applications on AWS is complex but achievable. The key is to:
- Start with security and compliance in mind from day one
- Use only HIPAA-eligible AWS services covered by the BAA
- Implement comprehensive encryption, access control, and audit logging
- Regularly review and update your security posture
- Document everything for compliance audits
Remember: HIPAA compliance is not a one-time achievement but an ongoing commitment to protecting patient data. Whether you're in San Francisco, Los Angeles, or anywhere else, we can help you build compliant healthcare solutions.