HIPAA-Compliant AWS, Built and Operated

HIPAA-compliant AWS architecture, built to be attested.

In plain English: we design, build, and run the AWS environment your patient data needs, so your auditors and compliance team can attest to HIPAA. HIPAA has no certificate to buy. What matters is HIPAA-eligible services, a signed BAA, and every control configured correctly, and that is exactly what we deliver.

AWS Advanced Tier Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
HIPAA Security RuleHIPAA-Eligible AWS

HIPAA compliance is a shared responsibility, not a checkbox.

3
Security Rule safeguard categories
0
Official HIPAA certifications (none exist)
BAA
Required with AWS before any PHI
AES-256
PHI encrypted at rest via AWS KMS
HIPAA has no certificate. We build and operate HIPAA-compliant architectures on HIPAA-eligible AWS services; your auditors and compliance team attest.HAZERCLOUD HIPAA on AWS approach
We build it
You attest it
How We Frame HIPAA Honestly

We are ISO 27001:2022 certified. HIPAA has no certification, so we build the architecture instead.

AWS Advanced TierISO/IEC 27001:2022ISO 9001:2015HIPAA-Eligible Architectures

Some vendors advertise a HIPAA badge. That is not how HIPAA works. HAZERCLOUD holds ISO 27001:2022 and ISO 9001:2015, and we build and operate HIPAA-compliant architectures on HIPAA-eligible AWS services. The attestation belongs to your compliance team and your auditors. Our job is the evidence-ready infrastructure underneath it, founder-led by Jobin Joseph, a 5x AWS-certified engineer.

What HIPAA Requires of Your Infrastructure

The five things a HIPAA-compliant AWS workload must prove.

The HIPAA Security Rule does not name AWS services. It names safeguards. A HIPAA AWS architecture translates each safeguard into concrete, evidenced configuration. These five are the ones an auditor examines first.

Requirement 01

BAA with AWS

  • Signed AWS Business Associate Agreement in place before any PHI reaches the account
  • Workload restricted to services covered by the BAA
  • Organization-level guardrails so new accounts inherit the same boundary
Requirement 02

Encryption at rest and in transit

  • Customer-managed KMS keys for RDS, S3, EBS, and backups
  • Key rotation and least-privilege key policies
  • TLS enforced end to end, at the edge and inside the VPC
Requirement 03

Access controls

  • Least-privilege IAM, SSO via IAM Identity Center, MFA everywhere
  • Role-based access to PHI with periodic access reviews
  • Service control policies that block risky actions across the org
Requirement 04

Audit logging

  • Multi-region CloudTrail with log file validation, encrypted with KMS
  • Application and database access logs retained per policy
  • GuardDuty and Security Hub for continuous detection and findings
Requirement 05

PHI segmentation

  • PHI isolated in dedicated subnets and, where needed, dedicated accounts
  • Network boundaries that keep PHI out of non-eligible services
  • Tenant isolation enforced at the infrastructure layer, not just in code
HIPAA-Eligible AWS Services

What eligible actually means (and what it does not).

A HIPAA-eligible service is one AWS permits to handle PHI under the AWS BAA. Eligibility is a precondition, not compliance. Every eligible service still needs correct configuration, and PHI must stay inside eligible services. AWS maintains the live list, so we design against it and re-check it as it changes. Below are the eligible services most HIPAA AWS hosting patterns are built from.

EC2 / ECS / FargateCompute for application workloads, HIPAA-eligible under the BAA when correctly hardened and network-isolated.
Amazon RDSManaged databases for PHI, encrypted with customer-managed KMS keys and deployed Multi-AZ.
Amazon S3Object storage for documents and images, with default encryption, block-public-access, and access logging.
AWS KMSCustomer-managed encryption keys with rotation and least-privilege key policies for every store that holds PHI.
AWS CloudTrailTamper-evident, multi-region audit trail of API activity, encrypted and retained for the audit window.
Amazon CloudWatch LogsCentralized application and access logs with retention and alerting mapped to the Security Rule.
Elastic Load BalancingTLS termination at the edge, enforcing encrypted transport for every request that carries PHI.
Amazon VPCPrivate networking, segmentation, and boundaries that keep PHI isolated from non-eligible paths.
AWS BackupEncrypted, policy-driven backups supporting the contingency-plan safeguards HIPAA requires.
IAM Identity CenterSingle sign-on, MFA, and access reviews so only authorized identities reach PHI.
Our Reference Architecture Approach

A HIPAA AWS architecture with every control mapped.

We standardize on Amazon ECS for compute and Amazon RDS for data, then map each HIPAA Security Rule safeguard to a specific, evidenced AWS control. The result is a reference pattern that is repeatable across environments and legible to an auditor.

Layer A · Compute

ECS on Fargate

  • Containers on Fargate in private subnets, no direct internet exposure
  • Task roles scoped to least privilege, secrets from Secrets Manager
  • Image scanning and immutable deploys through CI/CD
  • Maps to access control and integrity safeguards
Layer B · Data

RDS and S3

  • RDS Multi-AZ, KMS-encrypted, private, with automated backups
  • S3 with default encryption, versioning, and block-public-access
  • PHI kept inside eligible stores, never in logs or non-eligible services
  • Maps to encryption and contingency-plan safeguards
Layer C · Guardrails

Logging and detection

  • CloudTrail, Config, GuardDuty, and Security Hub always on
  • KMS key policies and IAM boundaries enforced org-wide
  • Evidence collected continuously, ready for assessment
  • Maps to audit control and monitoring safeguards
Shared Responsibility

AWS, HAZERCLOUD, and you: who is responsible for what.

HIPAA on AWS is never one party alone. AWS secures the cloud, we build and operate the compliant configuration inside it, and your organization owns the clinical and legal attestation. Clarity here is what keeps an audit calm.

01

AWS

Security of the cloud. AWS operates HIPAA-eligible services under the BAA and holds the physical, hypervisor, and datacenter controls. It provides the eligible building blocks; it does not configure your workload for you.

02

HAZERCLOUD

Security in the cloud. We design and operate the HIPAA-compliant architecture: encryption, IAM, segmentation, logging, backups, and the evidence behind each control. We build what your auditor needs to see, and keep it current.

03

The client

Attestation and clinical context. You own the risk assessment, workforce training, policies, patient relationships, and the sign-off. Your compliance team and auditors attest to HIPAA compliance on the infrastructure we deliver.

Related Work

Where HIPAA on AWS connects to the rest of your program.

HIPAA rarely arrives alone. Most healthcare platforms pair it with a broader HealthTech AWS build and a certifiable security baseline like ISO 27001.

FAQ

HIPAA on AWS, answered honestly.

Wondering whether AWS is HIPAA compliant on its own, whether you need a BAA with us, or how HIPAA and ISO 27001 relate? Book a call and we will walk your environment through it.

Book Free HIPAA Review →
Is AWS HIPAA compliant by default?+
No. AWS is not HIPAA compliant out of the box, and no cloud provider is. Compliance on AWS requires three things together: using HIPAA-eligible services, signing the AWS Business Associate Agreement (BAA) so those services are permitted to process PHI, and configuring each service correctly (encryption, access controls, logging, network isolation). Miss any one of the three and the workload is not compliant, no matter which services you chose.
What does it mean when an AWS service is HIPAA-eligible?+
HIPAA-eligible means AWS permits that service to store, process, or transmit Protected Health Information under the AWS BAA. It does not mean the service is automatically compliant. Eligibility is a precondition, not a finish line: you still have to configure the service correctly and keep PHI inside eligible services only. AWS publishes the current list of HIPAA-eligible services and updates it over time, so architecture decisions should always be checked against the live list.
Do we need a BAA with you as well?+
It depends on whether HAZERCLOUD would create, receive, maintain, or transmit your PHI. If our engineers only build and configure infrastructure and never access patient data, a BAA may not be strictly required, though many clients still put one in place for clarity. If any part of the engagement means we could touch PHI (for example, hands-on support inside a production account that holds patient data), then a Business Associate Agreement between your organization and ours is appropriate. We are comfortable signing one and scope our access to match.
Can you fix a failed HIPAA audit finding?+
Yes. Remediating audit and risk-assessment findings is one of the most common reasons clients engage us. We map each finding back to the relevant HIPAA Security Rule safeguard, translate it into a concrete AWS control (encryption, IAM policy, logging, segmentation, backup), implement the fix, and produce the evidence your auditor or compliance team needs to close it. We do not issue the attestation ourselves. We build the corrected architecture and the evidence so your assessor can sign off.
HIPAA vs ISO 27001, do we need both?+
They are different in kind. HIPAA is US law for Protected Health Information and has no official certification; you demonstrate compliance through controls, documentation, and risk assessments, not a certificate. ISO 27001 is a global, certifiable information security standard. Many healthcare companies pursue both: ISO 27001 as a certifiable security baseline that enterprise buyers recognize, and HIPAA compliance for handling PHI in the US market. The underlying controls overlap heavily, so the same AWS architecture and evidence can serve both. HAZERCLOUD is ISO 27001:2022 certified itself and builds HIPAA-compliant architectures on the same foundations.
How do you handle encryption of PHI on AWS?+
PHI is encrypted both at rest and in transit. At rest, we use AWS KMS with customer-managed keys across services such as RDS, S3, EBS, and backups, with key rotation and least-privilege key policies. In transit, we enforce TLS everywhere: HTTPS at the load balancer, encrypted database connections, and encrypted service-to-service traffic inside the VPC. Encryption alone is not compliance, but it is a mandatory technical safeguard and usually the first thing an auditor checks.
Does HIPAA certification exist for a hosting partner?+
There is no official HIPAA certification, for a hosting partner or anyone else, because HIPAA is a US regulation enforced by the Department of Health and Human Services, not a certifiable standard with an accredited registrar. Any vendor advertising a HIPAA certificate is misrepresenting how the regulation works. What HAZERCLOUD can accurately state is that it holds ISO 27001:2022 and ISO 9001:2015, is an AWS Advanced Tier Services Partner, and builds and operates HIPAA-compliant architectures on HIPAA-eligible AWS services. Your compliance team and your auditors attest to HIPAA compliance; we build the evidence-ready infrastructure that lets them do it.
HIPAA
Ready to build a HIPAA-compliant AWS environment?

30 minutes on your HIPAA AWS architecture.

No sales pitch. We will look at your current AWS setup, where PHI lives, and the gaps that would surface in an audit, then tell you honestly what a HIPAA-eligible, evidence-ready build would take. If we are not the right fit, we will say so.

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder

30 min Free Consultation →