AWS HIPAA compliance checklist for modern healthtechs

It’s 2025, and healthtechs require an up-to-date guide on all the steps to ensuring HIPAA compliance on AWS. In this piece, we’ll be covering the guidelines laid out by HIPAA as well as what that looks like on AWS.

There’s a lot to cover. So let’s just jump into it.

1. Understand AWS’s HIPAA-compliance responsibilities

This may seem basic. But it pays to grasp the fundamentals. There are many articles titled ‘Is AWS HIPAA compliant?’ But this is the wrong question. 

AWS is a HIPAA-eligible platform that uses its own Shared Responsibility Model to split requirements between you – the customer – and AWS – the platform.

Understanding this model

This is a general framework used by AWS to help customers understand their responsibilities when it comes to security. It applies to other security frameworks but covers HIPAA, also. 

AWS splits the responsibility thus:

For AWS: the security of the cloud

• AWS ensures infrastructure meets regulatory requirements, including physical security, operational controls, and certifications like ISO 27001 and SOC 2, which support HIPAA compliance
• AWS provides HIPAA-eligible services, such as S3, RDS, and EC2, but customers must configure these services to meet HIPAA’s specific requirements. This really means AWS have tested and ensured it’s possible to encrypt PHI (protected health information) to a HIPAA-compliant standard on, say, RDS, but it’s up to you to do it

For the customer: the security of everything else 

• The customer is responsible for everything else that makes up this checklist: configuring services, encryption, managing IAM tools, applying OS and application patches, monitoring activity, and securing data backups. In short, AWS provides some HIPAA-eligible building blocks, and the rest is up to you

2. Sign your BAA and manage it alongside non-HIPAA security documents in AWS Artifact

To get the above in writing, Amazon offers a BAA (business associate agreement), which, once signed, holds them accountable for their responsibilities and you responsible for yours.

These agreements were formulated specifically for companies handling ePHI (electronic protected health information) and working with EHR (electronic health records) systems, so healthtech companies, insurance providers dealing with claims and hospitals and facilities all fall into this category.

These agreements are boilerplate and do not change.

What this looks like on AWS

You can manage your BAA and other security documentation (e.g. SOC, ISO and PCI DSS) through AWS Artifact, a self-service portal for compliance documentation.

Artifact can also be leveraged to track continuous compliance. Now you’ve understood what AWS is responsible for, the legal basis for that split, and what you need to do – it’s time to look at how you do it.

3. Implement HIPAA-compliant access controls

HIPAA’s access control requirements are always evolving, with MFA moving from highly advised to mandatory in 2024. Below are the contemporary standards for HIPAA compliance access controls. Read ’em while they’re hot.

RBAC (role-based access controls) guidelines

HIPAA emphasises granular, frequently audited and dynamically updated role-based permissions. In practice, that means:

• Roles defined by task not level, i.e. ‘Diagnostician’ and not ‘Super Admin’
• Frequent audits
• Dynamic adjustment of RBAC based on changing roles, i.e. no lag between hirings, firings and RBAC updates
• Following the policy of least privilege

To achieve this, you or your MSP (Managed Service Provider) will likely implement a range of AWS services such as AWS IAMs to conduct semi-automated audits and adjustments. There’ll be some trade-offs between how stringent your checks are and ease of access for your users.

Authentication guidelines

Today’s guidelines and requirements focus on:

• MFA (multifactor authentication) which is now mandatory
• Strong password policies
• Automated credential expiration and rotation
• SSO (single sign-on) policies

You or your MSP will use tools like AWS Secrets Manager to configure a compliant rotation of passwords, access keys and other sensitive login-based data.

The SSO allows for all of that authentication to be easily and consistently applied and easily and consistently audited – as it’s all managed centrally.

Monitoring and auditing

To keep up with current HIPAA regulations, you’ll need to ensure continuous monitoring and auditing of all access activity and access policies.

The emphasis here is on continuous, which is now mandatory. Essentially, HIPAA compliance in this context means:

• Logging of all access events (API calls, sign-ins)

• Realtime monitoring and unusual-activity-based alerts, e.g. multiple failed login attempts

• Proactive remediation, e.g. removing a user’s permissions in the event of repeated failed login attempts, notifying the relevant staff
• Thorough auditing: who accessed PHI resources, what they did and when; changes to access control policies and user permissions; anomalous access patterns; logging functionality, i.e. the ability to audit the rest of the items in this list is audited via an audit of whether it’s recorded

What this looks like on AWS

You or your MSP will use tools like Amazon GuardDuty, Amazon CloudWatch and AWS Config to build a proper monitoring and auditing policy set that complies with HIPAA regulations.

The thinking part (done by you or your MSP) comes into play around the sliding scale between compliance redundancy (e.g. we’re definitely compliant even if X, Y and Z break) and compliant operational efficiency (e.g. this costs a lot of money and those three things are never going to break simultaneously).

4. Attain HIPAA-compliant data encryption at transmission and rest

Unsurprisingly, encryption of PHI is pretty high up on the list when it comes to making your AWS cloud HIPAA compliant.

Essentially, you must encrypt data both at rest and in transit, and, as you will see is a feature of these more technical sections, the ability to monitor and audit your efforts at securing patient data is just as important as the measures themselves. 

Data encryption at rest

To secure data at rest you must:

• Only store data in HIPAA-eligible AWS services – go here for a full list
• Implement client-side encryption using HIPAA-compliant algorithms like AES-256
• Store keys properly, i.e. so they’re secure, centrally managed and auditable while being expired and rotated

What this looks like on AWS

You or your MSP will use a combination of databases, AWS KMS and/or Security HSM to properly store, encrypt and manage keys.

Again, the trick is to balance performance and cost with compliance and/or to outsource/learn the skills that can place a finger on the scale without raising the other side.

For example, strong compliance will mean a very high frequency of API calls between KMS and RDS to ensure each key is encrypted with minimal exposure. A tech-savvy, healthcare-focused MSP will implement a caching layer to store frequently accessed and decrypted data to keep costs down.

Data encryption in transit

To secure data in transit you must:

• Encrypt data in transit (no kidding); HIPAA does not specify in too great a detail the nature of this encryption but you can ensure you’re in good company by going TLS 1.2 or higher in compliance with NIST regulations
• Ensure end-to-end transfers for internal transfers via encrypted tunnels
• Ensure data is encrypted when it is travelling around your own AWS infrastructure

What this looks like on AWS

You or your MSP will configure encryption on whichever HIPAA-eligible AWS databases you have selected. You’ll also use tools like Amazon KMS and AWS Config to rotate keys and continuously validate server-side encryption.

This is a low-to-moderate-placing task on the difficulty scale with at-rest encryption requiring a few more considerations.

Monitoring and auditing

As in the case of authentication, monitoring and auditing of data encryption requires continuous observation. You’ll be required to:

• Automatically detect misconfigured resources
• Monitor and log key usage
• Monitor certificated data transfers
• Set up real-time alerts for instant incident management

What this looks like on AWS

You or your MSP will use tools like AWS Config, AWS CloudTrail, AWS Security Hub, and AWS Certificate Manager to monitor encryption compliance, track key and certificate usage, and set up real-time alerts for deviations.

5. Backup, DRP (disaster recovery planning) and AWS HIPAA compliance

To ensure HIPAA compliance, healthcare providers are required to regularly back up personal health information, have a disaster and emergency operation plan, and last but not least, monitor and audit.

As in other sections, HIPAA may not explicitly require the below, but by following these tips you’ll be colouring well within the lines.

Data backups

For HIPAA-compliant data backups, you should:

• Have redundancy (the 3-2-1 backup strategy should be enough to guarantee compliance)
• Be able to retrieve exact copies
• Encrypt your backed-up data (see point two)
• Regulate access to your backups (see point one)

What this looks like on AWS

You or your MSP will store your data across multiple AWS HIPAA-eligible services representing different storage mediums, i.e. object storage in S3 and block storage in EBS. You’ll also store data in different AWS Regions to ensure compliance with 3-2-1.

Previous points apply to encryption and access.

The strategic decisions you or your MSP take will focus on things like the frequency of backups and the extent of their redundancy vs cost.

Disaster recovery

When implementing HIPAA rules around disaster recovery planning (DRP), you should:

• Define an acceptable RTO (recovery time objective, i.e the amount of time a healthcare system can be down) and RPO (recovery point objective, i.e. how many hours of sensitive data it’s acceptable to lose)
• Document and test your procedures
• Have a robust failover mechanism in place
• Have an incident management/emergency operation plan in place

What this looks like on AWS

You or your MSP will use tools like AWS Elastic Disaster Recovery (DRS) to replicate workloads and quickly recover systems. AWS databases also have configurable backup options.

When it comes to working with a partner, an MSP who’s cut their teeth in healthcare (though perhaps not dentistry) can take on a lot of the complexity here.

DRP strategy, documentation and the definition and enforcement of RTOs and RPOs are more involved than some other elements of this list, and many healthcare organisations work with specialists to achieve HIPAA compliance.

Monitoring and auditing

To monitor and audit your DRP and backup processes you’ll need to:

• Regularly verify that all backups are complete, encrypted, and retrievable
• Monitor backup processes and recovery workflows in real time
• Audit recovery events to confirm RTO and RPO objectives are met, and document any deviations or process improvements

What this looks like on AWS

You or your MSP will use AWS Backup to automate backup scheduling and ensure data is encrypted and retrievable. Tools like AWS CloudWatch and CloudTrail monitor workflows in real-time, while AWS Backup Audit Manager ensures recovery processes meet RTO and RPO targets.

This is moderately complex to set up, with trade-offs around balancing the frequency and redundancy of backups against cost/operational efficiency.

A note on AI and HIPAA compliance on AWS

From SaaS-based healthtechs to frontline providers, AI has opened up huge opportunities to extract value from health-related data. 

We’re sure we don’t need to tell you. However, if you’re reading this piece, we do have to tell you:

How to integrate AI into HIPAA-compliant AWS environments: 3 key principles

Define your organisation’s AI governance and compliance framework 

The first and key principle is to make AI part of your overall compliance posture. Begin by establishing HIPAA-compliant policies for AI usage, then go on to automate and enforce those policies using tools like AWS Config. 

Conduct audits of your policies as you would elsewhere. Many of these policies will relate to points already covered, such as encryption, but below are two more AI-specific tactics.

Minimise PHI exposure with de-identified and synthetic data 

You may want to use ePHI to train AI models. However, to stay compliant, you’ll need to limit exposure. 

To do this you can:

• Use Amazon Comprehend Medical to de-identify data 
• Use Amazon SageMaker to create and/or train on synthetic data 

Using one or a combination allows you to train AI models on de-identified data, synthetic data or synthetic data extrapolated from de-identified data  

Prevent unintended access and outputs by AI models 

Because of their semi-autonomous nature, AIs present a unique risk in terms of access and output. In short, they can access data they shouldn’t and even reconstruct partial ePHI from de-identified data. 

To prevent this you can:

• Use AWS IAM and tools like GuardDuty to ringfence and track AI models’ access patterns 
• Use Amazon Bedrock to filter and block PHI outputs before they’re exposed and break compliance 

How we can help

That ‘your MSP’ may just be closer than you think. 

At Just After Midnight, we work with major players in the healthcare industry to deliver HIPAA-compliant AWS solutions at the cutting edge of cloud. 

From healthcare providers like BUPA to innovative medical device company Nanosonics, we’ve helped protect healthcare data for AWS customers by leading from the front. 

That means we’re:

• A strategic partner first, we drive continuous improvement and adaption
• On the cutting edge of service delivery, from consulting on AI HIPAA compliance to interoperability
• A global business, with teams around the world; we’re perfectly placed to support your solutions 24/7 while grasping the ways in which global cloud architecture and changing compliance laws impact your growth   

To find out how we could help you stay HIPAA compliant, or for anything else, just get in touch.