Building healthcare software on AWS means protecting electronic Protected Health Information (ePHI) to a standard auditors — and patients — can trust. AWS gives you HIPAA-eligible services and a Business Associate Addendum (BAA), but compliance is a shared responsibility: AWS secures the cloud; you secure what you build in it. Here's a reference approach.
Start with the BAA and eligible services
Sign the AWS BAA and restrict ePHI workloads to HIPAA-eligible services. Architect so that PHI never touches a service outside that boundary — a clear data-flow diagram is the foundation of everything else.
Encrypt everywhere
- Encryption at rest with managed keys (KMS) for databases, object storage and volumes
- Encryption in transit (TLS) for every connection, internal and external
- Key rotation and tightly-scoped key access policies
Least-privilege access
Use IAM roles, not long-lived keys. Grant the minimum permissions needed, enforce MFA, and review access regularly. Every identity — human or machine — should be able to justify each permission it holds.
Log everything, immutably
Enable CloudTrail, VPC flow logs and application audit logs, and ship them to storage that can't be tampered with. Auditors will ask who accessed what and when; you want that answer to be one query away.
Isolate and segment
Put ePHI workloads in private subnets with no direct internet exposure, segment by function, and control traffic with security groups and network ACLs. Defence in depth means a single misconfiguration doesn't expose data.
Prove it continuously
HIPAA isn't a one-time checkbox. Continuous configuration monitoring, vulnerability scanning and documented incident response turn compliance into an operational habit — and make your next audit uneventful.
A HIPAA-aligned architecture protects patients first. The compliance evidence is a natural by-product of doing that well.
Want help putting this into practice?
Talk to a senior engineer about your specific situation.
Services That Bring This to Life
More Insights
Cloud Cost Optimization: A Practical FinOps Playbook
A step-by-step approach to cutting cloud waste — rightsizing, savings plans, storage tiering and the FinOps culture that makes savings stick.
Read articleHow to Set Up a CI/CD Pipeline That Scales
From first commit to production: designing a secure, auditable CI/CD pipeline with GitOps, IaC and progressive delivery.
Read articleISO 27001 Readiness: What Actually Gets You Certified
The practical path to ISO 27001 — scoping your ISMS, closing gaps, gathering evidence and passing the audit without derailing engineering.
Read article