If you are evaluating cloud options for healthcare data, one question comes up fast: is AWS HIPAA compliant?
The accurate answer is: AWS can support HIPAA-regulated workloads, but an AWS account or deployment is not automatically HIPAA compliant. AWS states that covered entities and business associates can use AWS to process, maintain, and store protected health information, but customers generally need a Business Associate Addendum, must use HIPAA-eligible services for PHI, and must configure and operate those services appropriately under AWS’s shared responsibility model.
That distinction matters. The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic protected health information, and HHS says risk analysis is foundational to compliance. NIST SP 800-66 Rev. 2 reinforces the same point: regulated entities must protect ePHI against reasonably anticipated threats, hazards, and impermissible uses or disclosures.
What “AWS HIPAA compliant” really means
Many teams use the phrase aws hipaa compliance as if it were a product feature. It is not. AWS does not say that using AWS alone makes a customer HIPAA compliant. Instead, AWS says customers subject to HIPAA can use AWS for PHI in the secure AWS environment, provided they sign the appropriate agreement and use the right services appropriately.
AWS’s shared responsibility model is the key to understanding this. AWS is responsible for security of the cloud, while the customer is responsible for security in the cloud. In practical terms, that means AWS handles the underlying infrastructure, but your organization is still responsible for areas like access control, encryption settings, workload configuration, logging, third-party integrations, backup design, workforce permissions, and ongoing governance.
That lines up with HHS guidance. The Security Rule is designed to be flexible and scalable, but covered entities and business associates still need to implement reasonable and appropriate safeguards based on their own risks and environment.
Don’t Trust Patient Data to Standard Web Hosting
Protect your practice from breaches and fines. Our hosting includes intrusion detection, firewalls, and audit logs.
Learn MoreHow AWS supports HIPAA-regulated workloads
AWS does provide meaningful support for healthcare workloads. Its HIPAA compliance materials state that covered entities and business associates can use AWS to process, maintain, and store PHI, and AWS provides access to its HIPAA agreement process through AWS Artifact. AWS also maintains a current HIPAA Eligible Services Reference that identifies the services eligible to create, receive, process, maintain, or transmit ePHI, subject to the shared responsibility model.
That means AWS can be a strong fit for healthcare organizations that want flexibility, scale, and a large service catalog. But it also means the burden of implementation does not disappear. HHS and NIST both frame HIPAA compliance as an ongoing process of risk analysis, risk management, and safeguard implementation, not a one-time provider selection.
A useful way to think about it is this:
AWS gives you compliant-capable infrastructure building blocks.
Your organization still has to turn those building blocks into a defensible HIPAA program.
How to verify whether an AWS environment is HIPAA compliant
The better question is not just “is aws hipaa compliant?” It is:
“Has our AWS environment been designed, documented, and operated in a way that supports HIPAA requirements?”
Here is the practical verification checklist.
Confirm the BAA is in place
AWS says organizations subject to HIPAA generally need a Business Associate Addendum and can review and manage that agreement through AWS Artifact. If that agreement is not in place, the rest of the conversation is premature.
Inventory every service that touches ePHI
Before you can assess compliance, you need a clear inventory of every service that creates, receives, maintains, or transmits ePHI. Then verify those services against the current AWS HIPAA Eligible Services Reference, because the list is maintained separately and can change over time.
Perform and document a risk analysis
HHS says risk analysis is the first step in identifying and implementing safeguards that comply with the Security Rule. NIST SP 800-66 Rev. 2 is designed to help organizations interpret and apply those requirements in practice.
Review safeguards, not just settings
HIPAA requires administrative, physical, and technical safeguards. In AWS, that usually translates into reviewing identity and access controls, MFA, encryption, backup planning, monitoring, alerting, workforce access governance, incident response readiness, and vendor relationships. Those are not “extras.” They are part of whether the environment is actually defensible.
Validate logging and evidence readiness
AWS provides tooling and documentation support, but the healthcare organization still needs its own review process, log retention plan, escalation process, and audit evidence discipline. That is an operational conclusion based on AWS’s shared responsibility model and HHS’s emphasis on documented safeguards.
Test the environment
A HIPAA-capable architecture should be validated, not assumed. Vulnerability testing, restore testing, access review, and configuration review are all part of turning an AWS deployment into a real compliance program. That is a best-practice inference supported by HHS’s risk-analysis and safeguard guidance.
Review your current AWS architecture against HIPAA expectations
Useful for teams that already run workloads in AWS and want clarity on gaps, risks, or next steps.
AWS HIPAA eligible services: what matters most
The official answer to AWS HIPAA eligible services is AWS’s own reference page. AWS says the services on that list are eligible to create, receive, process, maintain, or transmit ePHI, subject to the shared responsibility model.
For most healthcare teams, the most relevant service groups are:
- Compute
Services like Amazon EC2 are commonly used to run healthcare applications and supporting workloads. But whether a workload is ready for PHI depends on far more than launching an instance. Access design, patching, encryption, logging, segmentation, and backup controls all matter. That is consistent with AWS’s and HHS’s broader compliance framing.
- Storage
Amazon S3 is often part of healthcare architectures for files, exports, backups, and application data. But the real compliance question is not whether S3 exists. It is whether permissions, encryption, retention, bucket design, logging, lifecycle rules, and downstream integrations are configured appropriately for PHI.
- Databases
Database services can reduce some operational complexity, but they do not eliminate responsibilities around access review, backup planning, encryption, and monitoring. Using a managed database service is not the same thing as delegating compliance.
- Key management and audit support
Encryption support and audit tooling can help strengthen a HIPAA program, but neither AWS nor HHS treats those controls as a substitute for full compliance governance. They are part of the picture, not the whole picture.
What AWS often costs beyond infrastructure
One reason this topic matters commercially is that many teams only compare infrastructure pricing.
That is too narrow.
The real cost of a HIPAA-capable AWS environment usually includes:
- cloud infrastructure
- backup and recovery
- monitoring and logging
- security configuration and review
- documentation and evidence gathering
- security testing
- engineering and compliance labor
AWS’s own model makes clear that customers remain responsible for security in the cloud, and HHS’s guidance makes clear that compliance is an ongoing safeguard and risk-management process. So even when raw cloud pricing looks attractive, the total operating cost can rise quickly once labor and governance are included.
That does not mean AWS is the wrong choice. It means healthcare organizations should compare total ownership effort, not just the starting monthly bill.
AWS vs HIPAA Vault: side-by-side comparison
This comparison works best when framed as an operational fit question, not a simplistic compliance claim.
AWS is a general-purpose cloud platform with broad flexibility and scale. HIPAA Vault is a healthcare-focused managed hosting option. The difference is not that one “does HIPAA” and the other does not. The difference is how much of the architecture, operations, and compliance workload your internal team wants to own directly. That distinction follows from AWS’s shared responsibility model and HHS’s ongoing safeguard requirements.
| Category | AWS | HIPAA Vault |
| HIPAA support model | Supports HIPAA-regulated workloads with a BAA and HIPAA-eligible services | Managed hosting designed specifically for healthcare and HIPAA-sensitive use cases |
| Responsibility split | Customer retains major responsibility for security in the cloud and workload controls | More operational support around hosting, security tooling, and managed infrastructure |
| Setup complexity | Higher for most teams because architecture, controls, and documentation must be built and maintained | Lower for teams that want a more guided, healthcare-specific environment |
| Internal expertise required | Strong cloud, security, and compliance skills usually needed | Less internal infrastructure burden for many organizations |
| Flexibility | Very high | More opinionated, more healthcare-focused |
| Time to launch | Often longer, depending on internal build effort | Often faster for teams that want a managed path |
| Best fit | Large teams with cloud maturity and custom architecture needs | Healthcare organizations that want to reduce operational complexity |
In simple terms: AWS gives you more flexibility, while HIPAA Vault is built to reduce the amount of cloud and compliance-heavy lifting your team needs to do.
When AWS is the better fit
AWS is often the better choice when your organization:
- already has mature DevOps and security talent
- needs highly customized architecture
- wants direct access to a broad cloud ecosystem
- is comfortable owning more of the implementation and compliance workload
That is especially true for larger healthcare software companies and enterprise teams with dedicated cloud engineering functions. AWS provides the depth for that model.
When HIPAA Vault may be the better fit
HIPAA Vault may be the better choice when your organization:
- wants to reduce infrastructure complexity
- does not want to build every safeguard and workflow internally
- needs a healthcare-oriented managed hosting environment
- values support, managed services, and a narrower operational path
That is not a claim that compliance becomes automatic. It is simply the practical advantage of a managed, healthcare-specific hosting model for smaller or leaner teams.
Final answer: is AWS HIPAA compliant?
The best answer is this:
AWS can support HIPAA-regulated workloads, but AWS does not automatically make your environment HIPAA compliant. To use AWS appropriately for PHI, organizations generally need the right agreement in place, must use HIPAA-eligible services, and must implement safeguards, risk analysis, and ongoing operational controls consistent with HIPAA requirements. AWS, HHS, and NIST all support that framing.
So the real decision is not only whether AWS can be used for HIPAA workloads.
It is whether your team wants to build and run that environment itself, or whether a managed healthcare hosting provider is the better fit for your time, staffing, and risk profile.
Talk through your AWS vs managed hosting options
A practical conversation for healthcare teams that want clarity before committing to a platform.
