Call Talk to an Engineer

Building HIPAA-Aligned Workloads on AWS

A reference architecture for HIPAA on AWS — encryption, access control, logging, BAAs and the evidence auditors expect.

Security  ·  April 16, 2026  ·  9 min read

Building healthcare software on AWS means protecting electronic Protected Health Information (ePHI) to a standard auditors — and patients — can trust. AWS gives you HIPAA-eligible services and a Business Associate Addendum (BAA), but compliance is a shared responsibility: AWS secures the cloud; you secure what you build in it. Here's a reference approach.

Start with the BAA and eligible services

Sign the AWS BAA and restrict ePHI workloads to HIPAA-eligible services. Architect so that PHI never touches a service outside that boundary — a clear data-flow diagram is the foundation of everything else.

Encrypt everywhere

  • Encryption at rest with managed keys (KMS) for databases, object storage and volumes
  • Encryption in transit (TLS) for every connection, internal and external
  • Key rotation and tightly-scoped key access policies

Least-privilege access

Use IAM roles, not long-lived keys. Grant the minimum permissions needed, enforce MFA, and review access regularly. Every identity — human or machine — should be able to justify each permission it holds.

Log everything, immutably

Enable CloudTrail, VPC flow logs and application audit logs, and ship them to storage that can't be tampered with. Auditors will ask who accessed what and when; you want that answer to be one query away.

Isolate and segment

Put ePHI workloads in private subnets with no direct internet exposure, segment by function, and control traffic with security groups and network ACLs. Defence in depth means a single misconfiguration doesn't expose data.

Prove it continuously

HIPAA isn't a one-time checkbox. Continuous configuration monitoring, vulnerability scanning and documented incident response turn compliance into an operational habit — and make your next audit uneventful.

A HIPAA-aligned architecture protects patients first. The compliance evidence is a natural by-product of doing that well.

Want help putting this into practice?

Talk to a senior engineer about your specific situation.

Talk to an Engineer