2 min read

Is Amazon Web Services (AWS) HIPAA compliant? (2026 update)

Picture of Mara Ellis Mara Ellis March 28, 2017

HIPAA compliance
Amazon Web Services logo

Amazon Web Services, or AWS, is a cloud platform that organizations use for infrastructure, storage, databases, networking, analytics, and AI.

Is Amazon Web Services HIPAA compliant? Yes, AWS is HIPAA compliant.

 

What changed this year?

AWS still offers a standard BAA through AWS Artifact, and HIPAA use is still limited to designated HIPAA accounts and HIPAA-eligible services. The notable current update is that AWS’s HIPAA Eligible Services Reference was updated on February 10, 2026, and the published list now includes services such as Amazon Bedrock and Amazon Bedrock AgentCore, showing that AWS continues to expand the eligible-service roster rather than narrow it.

 

Will Amazon Web Services sign a business associate agreement?

Yes, Amazon Web Services will sign a BAA. AWS says it has a standard BAA for customers, and AWS Artifact is the place where customers review, accept, and manage that agreement for an individual account or for an AWS organization. AWS also says Artifact agreements are confidential and cannot be shared outside the company.

 

What does the Amazon Web Services BAA cover?

AWS’s public HIPAA materials say the BAA is intended to ensure AWS appropriately safeguards PHI and to clarify and limit AWS’s permitted uses and disclosures of PHI. AWS also ties the BAA to designated HIPAA accounts and to the use of HIPAA-eligible services for PHI workloads. AWS states that the BAA is meant to ensure AWS appropriately safeguards PHI, and that customers should only handle PHI in HIPAA-eligible services within HIPAA accounts.

Public AWS materials indicate that the BAA covers:

  • AWS safeguarding PHI
  • AWS’s permitted uses and disclosures of PHI
  • designated HIPAA accounts
  • PHI workloads on HIPAA-eligible services only

What does the Amazon Web Services BAA exclude?

AWS’s public guidance makes clear that BAA coverage is not blanket coverage for every AWS service or feature. AWS says some services are not listed as HIPAA eligible, and those services may still be used in HIPAA accounts only if they do not process or store ePHI. AWS also says some otherwise eligible services have feature-level exclusions. Current examples on the published eligible-services list include Amazon CloudFront excluding Embedded Point of Presences delivery, AWS Directory Service excluding Simple AD, Amazon Augmented AI excluding Public Workforce and Vendor Workforce, and Amazon WorkDocs excluding the feature for deleting previous file versions.

AWS can support HIPAA-regulated workloads, but only if the organization keeps PHI inside the services and features AWS has actually placed in scope and also handles its own configuration, access control, encryption, logging, and operational safeguards correctly under the shared responsibility model.

 

Conclusion

AWS is HIPAA compliant. A healthcare organization needs an AWS BAA in place, needs to designate the relevant account or accounts for HIPAA use, and needs to limit PHI to AWS services and features that AWS currently lists as HIPAA eligible while meeting the customer side of shared responsibility.

Learn more: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is a business associate agreement?

A BAA is a contract between a HIPAA covered entity and a business associate that requires the business associate to appropriately safeguard PHI and sets the permitted and required uses and disclosures of that information. HHS explains that these contracts are required so business associates protect PHI and use it only as allowed by the agreement or by law.

 

What is HIPAA?

HIPAA is the federal law that establishes national standards for protecting certain health information. HHS explains that the Privacy Rule protects medical records and other protected health information, while the Security Rule sets standards for protecting electronic protected health information with administrative, physical, and technical safeguards.

 

Who does HIPAA apply to?

HIPAA applies to covered entities and business associates. Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct certain standard transactions electronically, and business associates are persons or entities that perform certain functions or services involving PHI on behalf of covered entities.
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Presenter discussing the HITRUST Approach framework at a conference

HITRUST community extension program (CEP) in Tampa

Picture of Hoala Greevy Hoala Greevy : July 10, 2019

Mike Parisi (HITRUST) We flew in from San Francisco for a HITRUST Community Extension Program today in Tampa, Florida. It was sponsored by 360...

HIPAA compliance
Read More
Judge's gavel on a wooden block

HHS issues guidance on HIPAA and ERPOs

Sara Nguyen : January 15, 2022

The Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR) released new guidance regarding how HIPAA compliant...

HIPAA compliance
Read More
iPhone home screen displaying various social media and communication apps

1 min read

Social media & HIPAA compliance: The ultimate guide

Amanda Larson : July 10, 2020

As more people flock to the internet to share their lives, social media sites are growing in popularity and in users. Naturally, many businesses,...

HIPAA compliance
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.