HIPAA & BAA · Cloud infrastructure
Is Amazon Web Services (AWS) HIPAA compliant?
Yes, with conditions. AWS offers a self-service BAA via AWS Artifact at no extra cost; once accepted the account becomes a 'HIPAA Account,' but PHI may only be processed in HIPAA-Eligible Services with the required security configuration.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Available at no extra charge to all commercial AWS accounts; accept the BAA self-service via AWS Artifact (per-account or organization-wide). PHI must be limited to HIPAA-Eligible Services with required security configurations.
- Official source: AWS — HIPAA Compliance — https://aws.amazon.com/compliance/hipaa-compliance/ (verified 2026-06)
How to use Amazon Web Services (AWS) in a HIPAA-compliant way
- Sign in to the AWS Console, open AWS Artifact, and review and accept the AWS Business Associate Addendum (optionally org-wide via AWS Organizations).
- Restrict PHI processing/storage to AWS HIPAA-Eligible Services (per the HIPAA Eligible Services Reference page).
- Apply required configurations — encrypt PHI at rest and in transit, use KMS, and enforce IAM least privilege.
- Enable CloudTrail and CloudWatch logging and monitoring for audit purposes.
- Complete your own HIPAA risk assessment and document the architecture.
Important caveats
- Only HIPAA-Eligible Services may handle PHI; using non-eligible services with PHI falls outside the BAA.
- The BAA requires the specified security configurations (e.g., encryption) — accepting it does not auto-secure resources.
- AWS operates under a shared-responsibility model; customer-side controls and safeguards remain your responsibility.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Amazon Web Services (AWS) correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Amazon Web Services (AWS).
Frequently asked questions
Does Amazon Web Services (AWS) sign a BAA?
Yes. Available at no extra charge to all commercial AWS accounts; accept the BAA self-service via AWS Artifact (per-account or organization-wide). PHI must be limited to HIPAA-Eligible Services with required security configurations. A signed BAA is required before any PHI is involved.
Is Amazon Web Services (AWS) HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Amazon Web Services (AWS) offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Amazon Web Services (AWS) with PHI?
Only HIPAA-Eligible Services may handle PHI; using non-eligible services with PHI falls outside the BAA.
