Skip to main content
Back to guides
Cloud Architectureintermediate

HIPAA-Compliant Cloud Architecture on AWS

A practical guide to designing and deploying healthcare applications on AWS while meeting HIPAA requirements.

AWSHIPAAHealthcareSecurity

Building healthcare applications requires careful attention to regulatory requirements. This guide walks through the key architectural decisions for deploying HIPAA-compliant workloads on AWS.

Understanding the Shared Responsibility Model

AWS provides HIPAA-eligible services, but compliance is a shared responsibility. AWS secures the infrastructure; you're responsible for how you configure and use it.

What AWS Handles

  • Physical security of data centers
  • Network infrastructure security
  • Hypervisor and host OS security
  • Service-level encryption options

What You Handle

  • Data encryption in transit and at rest
  • Access control and IAM policies
  • Audit logging and monitoring
  • Application-level security

Core Architecture Components

1. Network Isolation

Start with a VPC designed for healthcare workloads:

VPC (10.0.0.0/16)
├── Public Subnets (ALB, NAT Gateway)
├── Private Subnets (Application tier)
└── Isolated Subnets (Database tier)

Key considerations:

  • No direct internet access for resources handling PHI
  • Use VPC endpoints for AWS services
  • Enable VPC Flow Logs for network monitoring

2. Encryption Everywhere

At Rest:

  • Use AWS KMS with customer-managed keys
  • Enable default encryption on S3, EBS, RDS
  • Consider client-side encryption for highly sensitive data

In Transit:

  • TLS 1.2+ for all connections
  • Use ACM for certificate management
  • Enable HTTPS-only on CloudFront and ALB

3. Access Control

Implement least-privilege access:

  • Use IAM roles, not long-lived credentials
  • Enable MFA for all human access
  • Implement attribute-based access control (ABAC) where possible
  • Regular access reviews and credential rotation

4. Audit Logging

You must be able to demonstrate who accessed what, when:

  • CloudTrail — API activity logging
  • Config — Resource configuration history
  • GuardDuty — Threat detection
  • Application logs — Shipped to CloudWatch or a SIEM

Retain logs for a minimum of 6 years (HIPAA requirement).

BAA Requirements

Before handling PHI on AWS, you must have a Business Associate Agreement in place. This is available through AWS Artifact for qualifying accounts.

Only use services covered under the BAA for PHI workloads. Check the AWS HIPAA Eligible Services list.

Common Pitfalls

  1. Using non-eligible services — Not all AWS services are HIPAA-eligible
  2. Insufficient logging — You need comprehensive audit trails
  3. Overly permissive IAM — Start with zero access and add permissions as needed
  4. Neglecting backups — Test your disaster recovery regularly

Next Steps

This guide covers the foundational architecture. For specific implementation guidance, consider:

Need help with your healthcare cloud architecture? Let's talk.