Skip to main content


AWS – HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient data.  HIPAA and PHI (Protected Health Information) have a number of guidelines to ensure that the sensitive information is protected and secured, which is very crucial for the healthcare industry.

AWS is a secured cloud service platform. It offers computing power, database storage, content delivery and other functionality to help business scale. We can use AWS to build applications that are HIPAA Compliant. Any AWS Service can be used in a healthcare application, but the services covered by BAA (Business Associate Agreement) can be used to store, process and transmit PHI as defined by HIPAA. AWS offers a comprehensive set of features and services to make key management and encryption of PHI easy to manage and simpler to audit. AWS KMS(Key Management Service) can be used to encrypt the keys used for encryption of PHI on AWS.

AWS – HIPAA Eligible Services

AWS ensures that HIPAA eligible services support security, control and administrative process as required under HIPAA. All the below mentioned list of services are HIPAA eligible, but AWS requires customers to encrypt PHI stored in or transmitted using HIPAA Eligible services. Data should be encrypted on Transit and also at rest.

The following AWS Services are HIPAA Eligible:

  • Elastic Block Storage (EBS) Volumes
  • RDS (Oracle, PostgreSQL , Aurora, MySQL etc)
  • DynamoDb
  • Elastic Compute cloud (EC2)
  • Elastic Load Balancer (ELB)
  • Glacier
  • Redshift
  • Simple Storage Service (S3)
  • AWS Import/Export – SnowBall
  • SQS
  • EMR
  • Data Migration Service
  • Direct Connect
  • VPC
  • Web Application firewall(WAF)

HIPAA security rules also require in-depth auditing capabilities, data backup procedures and disaster recovery mechanisms. The services in AWS contain many features that help customers address these requirements.

Customers should put auditing capabilities using AWS Cloudwatch, AWS CloudTrial etc. to allow security analysts to examine detailed activity logs to see who had made what changes on the security, storage, computing etc  and record and retain activity related to the use and access to PHI.


Creating and maintaining HIPAA compliance is an on-going process.  AWS is going to add more services to the list of HIPAA eligible services. We should avoid using non-eligible services and make sure the PHI information is secured by encrypting the data while in transmission and while at rest.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Sridhar Anchoori

More from this Author

Follow Us