HIPAA Compliance Checklist for AWS: 30+ Controls for Healthcare Workloads
OCR has issued 20+ enforcement actions since January 2024. More than half targeted entities with fewer than 500 employees. This checklist maps every control to 45 CFR § 164 — with detection commands.
HIPAA Is Not Just for Hospitals
The HHS Office for Civil Rights (OCR) has issued 20+ enforcement actions since January 2024. More than half targeted entities with fewer than 500 employees.
The latest: Northeast Radiology agreed to pay $350,000 in April 2025 after a PACS imaging server exposed patient records — because the practice never completed an enterprise-wide risk analysis.
Cloud-based business associates are in the crosshairs too. A Massachusetts EHR/billing vendor paid $80,000 in January 2025 after ransomware encrypted the ePHI of 31,248 patients. A Virginia data hosting company paid $90,000 — same story, different company.
Total HIPAA fines issued in 2024–2025: over $15 million. And the average settlement for a mid-sized breach now runs $1.5M+ before legal fees.
The HIPAA Security Rule — What AWS Customers Actually Need
HIPAA's Security Rule (45 CFR Part 164, Subparts A and C) has three safeguard categories:
| Safeguard | Description | AWS Equivalent |
|---|---|---|
| Administrative | Policies, risk analysis, workforce training, incident response | IAM policies, CloudTrail, Config rules |
| Physical | Facility access, workstation controls, device disposal | AWS managed (data centers); customer controls on access |
| Technical | Access controls, audit logging, encryption, transmission security | IAM, S3, KMS, RDS, CloudWatch |
The technical safeguards under 45 CFR § 164.312 are where AWS configurations matter most. Each control below is cited by section.
Identity & Access Management
45 CFR § 164.312(a)(1) requires unique user identification, emergency access procedures, automatic logoff, and encryption/decryption.
aws iam get-account-summary | jq '.SummaryMap|to_entries[]|select(.key|contains("MFADevice"))'Enable MFA via AWS Console → IAM → Users → Security credentials → Manage MFA device. Enforce via IAM policy requiring MFA for all console sessions.
Providence Medical Institute paid $240,000 in October 2024 after a ransomware attack — investigators found the initial compromise leveraged an account with no MFA.
aws iam list-attached-user-policies --user-name <username> --query 'AttachedPolicies[?PolicyName==`AdministratorAccess`]'Create role-specific IAM policies. Use AWS Managed Policies as a baseline, then scope down. Run IAM Access Analyzer to identify external access.
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'Delete root access keys immediately. Enable MFA on root account. Use root only for account-final tasks. Log all root usage via CloudTrail with alarm alerts.
aws iam list-access-keys --user-name <username>Replace long-lived IAM user access keys with instance profiles and service-linked roles. Rotate keys via AWS Secrets Manager with automatic rotation.
aws sso-admin list-permission-sets --instance-arn <arn>Migrate from individual IAM users to AWS IAM Identity Center. Enforce MFA via permission set conditions. Integrate with your IdP (Okta, Google Workspace, Azure AD).
aws s3control get-public-access-block --account-id <account-id>Enable block public access at account level. Then enforce bucket-level ACLs denying public access.
Audit Logging
45 CFR § 164.312(b) requires hardware, software, and procedural mechanisms to record and examine activity in systems that contain or use ePHI.
aws cloudtrail describe-trails --query 'Trails[?IsMultiRegionTrail==`true`]'Enable CloudTrail with multi-region trails, log file validation, and SNS notifications for delivery failures. Write to an S3 bucket in a separate account with Object Lock (WORM).
aws logs describe-log-groups --query 'logGroups[?retentionInDays==null]'Set log retention to at least 90 days (365 preferred). Create CloudWatch metric filters for failed console logins, IAM policy changes, and CloudTrail errors. Route alerts to SNS.
aws configservice describe-configuration-recorders --query 'ConfigurationRecorders[].name'Enable AWS Config in all regions. Deploy the “Operational Best Practices for HIPAA Security” conformance pack from AWS Security Hub. Enable auto-remediation via Config rules.
aws guardduty list-detectors --query 'DetectorIds'Enable GuardDuty across all regions. Enable S3 and EKS protection. Route findings to a security incident channel (PagerDuty, Slack) within 15 minutes.
Data Encryption
45 CFR § 164.312(a)(2)(iv) requires encryption and decryption mechanisms for ePHI at rest and in transit.
aws s3api get-bucket-encryption --bucket <bucket-name> --query 'ServerSideEncryptionConfiguration.Rules[].ServerSideEncryptionByDefault.SSEAlgorithm'Enable default encryption on all buckets (AES-256 or AWS KMS). Use customer-managed keys (CMK) for ePHI buckets — never use AWS managed keys for regulated data. Enforce via bucket policy and SCP.
aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme==`internet-facing`].LoadBalancerArn'Set ALB/ELB security policy to TLS 1.2 minimum. Enforce CloudFront minimum viewer protocol to HTTPS. Use AWS WAF with AWSManagedRulesCommonRuleSet to block non-compliant clients.
aws kms describe-key --key-id <key-id> --query 'KeyMetadata.KeyRotationEnabled'Create CMKs for each data classification level. Enable automatic key rotation (annual). Store key metadata in Secrets Manager. Never use plain text keys in Lambda or EC2 user data.
aws rds describe-db-instances --query 'DBInstances[?!StorageEncrypted]'Enable RDS encryption at creation time (or restore from snapshot with encryption). Use KMS CMK for RDS. Ensure automated backups inherit encryption. For Aurora, verify cluster-level encryption.
aws dynamodb describe-table --table-name <name> --query 'Table.SSEDescription.Status'Enable SSE with KMS for all DynamoDB tables. Set item-level encryption for PHI fields via application-layer encryption as defense-in-depth.
Data Integrity
45 CFR § 164.312(c)(1) requires policies and procedures to protect ePHI from improper alteration or destruction.
aws s3api get-object-lock-configuration --bucket <bucket-name> --query 'ObjectLockConfiguration.Rule.DefaultRetention'Enable S3 Object Lock in compliance mode on ePHI buckets with a 90-day minimum retention. Enable S3 Versioning. Test object recovery to ensure backup integrity.
aws backup list-backup-plans --query 'BackupPlans[].BackupPlanId'Create an AWS Backup plan with daily incremental, weekly full, and 90-day retention for ePHI data stores. Enable cross-region copy. Test restores quarterly.
aws ec2 describe-snapshots --owner-ids self --query 'Snapshots[?Encrypted==`false`]'Only launch instances with encrypted EBS volumes. Use KMS CMK for snapshots. Block public and cross-account snapshot sharing. Use tag-based resource policies.
Transmission Security
45 CFR § 164.312(e) requires technical security measures to guard against unauthorized access to ePHI transmitted over networks.
aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[?ServiceName==`com.amazonaws.us-east-1.s3`]'Create VPC endpoints for S3 and DynamoDB. Apply deny-by-default endpoint policy allowing only your account. Route all ePHI traffic through the endpoint — no public internet path.
aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible==`true`]'Launch all RDS instances in private subnets across 3 AZs. Use RDS Proxy for Lambda connections. Verify no security group rules allow 0.0.0.0/0 on database ports.
Risk Analysis & Management
45 CFR § 164.308(a)(1) requires an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Map all systems that store or process ePHI. Inventory IAM users/roles, S3 buckets with PHI, RDS instances, and Lambda functions processing PHI. Store risk analysis documentation in version-controlled repository.
This is the most common HIPAA violation. Northeast Radiology’s $350K settlement was entirely about never completing an enterprise-wide risk analysis.
Create a remediation plan in AWS Systems Manager Incident Manager or a ticketing system. Assign severity scores based on likelihood × impact. Track mean time to remediate (MTTR). Review monthly.
aws iam list-users --query 'Users[?PasswordLastUsed==null]'Run quarterly IAM access reviews. Remove unused users, roles, and access keys. Enforce 90-day access key rotation via SCP. Disable inactive users immediately upon role departure.
Incident Response
45 CFR § 164.308(a)(6) requires policies and procedures to address security incidents.
Write runbooks for ransomware detection, unauthorized IAM access, ePHI exfiltration, and CloudTrail log tampering. Include escalation matrix, legal notification requirements (45 CFR § 164.400), and HHS breach reporting timelines (within 60 days of discovery). Run tabletop exercises quarterly.
Configure GuardDuty SNS subscription filter for Critical/High findings to PagerDuty. Use CloudWatch Event Rule to trigger alerts automatically.
Configure CloudTrail to write to an S3 bucket with Object Lock (compliance mode, 1-year retention). Use CloudTrail Lake for 90-day queryable retention. Do not allow deletions of log objects by any IAM principal.
Business Associate Management
45 CFR § 164.308(b) and § 164.314 require documented agreements with business associates who handle ePHI.
Execute AWS BAA via AWS Artifact → Agreements → Business Associate Addendum. Apply to all relevant accounts in your AWS Organization. For downstream vendors, require BAAs before granting data access.
Maintain a BAA registry with vendor name, data shared, BAA execution date, expiration, and contact. Review annually. Trigger renewal 90 days before expiration.
Before using a new AWS service with ePHI, verify it appears on the current HIPAA-eligible services list. If not listed, architect around it or contact AWS.
BAA Gotchas — What Breaks Compliance Silently
The AWS BAA covers only HIPAA-eligible services. If you process ePHI through Lightsail, Amplify, or Chime, you're out of compliance — even with a signed BAA. This is the most common silent failure.
The BAA is a legal prerequisite, not a technical configuration. Northeast Radiology’s $350K settlement didn’t involve an unsigned BAA — it involved no enterprise risk analysis and no asset inventory.
ePHI workloads in the same account as non-HIPAA workloads can accidentally route PHI through non-eligible services. Use AWS Organizations to create a dedicated HIPAA OU and account.
CloudTrail must be logging all admin actions before the incident begins. If logging was disabled, you cannot produce the evidence OCR requires.
AWS-managed KMS keys are acceptable, but for high-sensitivity ePHI, customer-managed keys with restricted key policies are required. Never store encryption keys in plaintext environment variables or Lambda function code.
Lambda environment variables are not encrypted by default. If your function stores ePHI in environment variables, that PHI is in plaintext. Use Secrets Manager or Parameter Store with encryption.
Continuous Monitoring vs. Annual Audit
Most HIPAA-covered entities treat compliance as a one-time annual effort. OCR’s Risk Analysis Initiative — which has generated 7 enforcement actions since fall 2024 — was built specifically to catch organizations that file an outdated risk analysis and call it done.
The Security Rule at 45 CFR § 164.316(b)(2)(i) requires continuous evaluation: reviewing audit logs, access reports, and security incident tracking reports regularly.
GuardDuty findings review, CloudWatch log anomaly check
AWS Config rules compliance dashboard review
IAM access review, BAA scope review, key rotation verification
Pen test findings triage, incident response runbook review
Full enterprise risk analysis, OCR breach notification drill
Annual audits are lag indicators. Cloud-native monitoring catches the gap before OCR does.
Related Guides
- SOC 2 Type II on AWS: Compliance Checklist for 2026 — the startup audit playbook that complements HIPAA controls.
- PCI-DSS v4.0.1 on AWS: Technical Implementation Guide — if you also process payment data alongside ePHI.
- Run a Free AWS Security Assessment → — Guardrail scans 32 common AWS misconfigurations and maps findings to HIPAA, PCI-DSS, and SOC 2 controls.
Run the Free HIPAA Compliance Assessment
See how your AWS environment stacks up across 30+ HIPAA controls. Guardrail identifies your gaps in minutes, with remediation guidance mapped to 45 CFR § 164 requirements.
Run Free HIPAA Assessment →