HIPAA Compliance Checklist for AWS: 30+ Controls for Healthcare Workloads

OCR has issued 20+ enforcement actions since January 2024. More than half targeted entities with fewer than 500 employees. This checklist maps every control to 45 CFR § 164 — with detection commands.

Who this is for: CTOs, DevOps leads, and compliance officers at companies that process, store, or transmit electronic protected health information (ePHI) on AWS — including business associates serving healthcare customers. If you signed an AWS BAA but never audited your technical controls, start here.

HIPAA Is Not Just for Hospitals

The HHS Office for Civil Rights (OCR) has issued 20+ enforcement actions since January 2024. More than half targeted entities with fewer than 500 employees.

The latest: Northeast Radiology agreed to pay $350,000 in April 2025 after a PACS imaging server exposed patient records — because the practice never completed an enterprise-wide risk analysis.

Cloud-based business associates are in the crosshairs too. A Massachusetts EHR/billing vendor paid $80,000 in January 2025 after ransomware encrypted the ePHI of 31,248 patients. A Virginia data hosting company paid $90,000 — same story, different company.

Total HIPAA fines issued in 2024–2025: over $15 million. And the average settlement for a mid-sized breach now runs $1.5M+ before legal fees.

The HIPAA Security Rule — What AWS Customers Actually Need

HIPAA's Security Rule (45 CFR Part 164, Subparts A and C) has three safeguard categories:

SafeguardDescriptionAWS Equivalent
AdministrativePolicies, risk analysis, workforce training, incident responseIAM policies, CloudTrail, Config rules
PhysicalFacility access, workstation controls, device disposalAWS managed (data centers); customer controls on access
TechnicalAccess controls, audit logging, encryption, transmission securityIAM, S3, KMS, RDS, CloudWatch

The technical safeguards under 45 CFR § 164.312 are where AWS configurations matter most. Each control below is cited by section.

Identity & Access Management

45 CFR § 164.312(a)(1) requires unique user identification, emergency access procedures, automatic logoff, and encryption/decryption.

Critical Enforce MFA on all IAM users with console access
45 CFR § 164.312(a)(3)
Detection
aws iam get-account-summary | jq '.SummaryMap|to_entries[]|select(.key|contains("MFADevice"))'
Remediation

Enable MFA via AWS Console → IAM → Users → Security credentials → Manage MFA device. Enforce via IAM policy requiring MFA for all console sessions.

Enforcement context

Providence Medical Institute paid $240,000 in October 2024 after a ransomware attack — investigators found the initial compromise leveraged an account with no MFA.

Critical Apply least-privilege access via IAM policies
45 CFR § 164.312(a)(1)
Detection
aws iam list-attached-user-policies --user-name <username> --query 'AttachedPolicies[?PolicyName==`AdministratorAccess`]'
Remediation

Create role-specific IAM policies. Use AWS Managed Policies as a baseline, then scope down. Run IAM Access Analyzer to identify external access.

Critical Disable root account access keys
45 CFR § 164.312(a)(3)
Detection
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'
Remediation

Delete root access keys immediately. Enable MFA on root account. Use root only for account-final tasks. Log all root usage via CloudTrail with alarm alerts.

Critical Use IAM roles for services, not access keys
45 CFR § 164.312(a)(1)
Detection
aws iam list-access-keys --user-name <username>
Remediation

Replace long-lived IAM user access keys with instance profiles and service-linked roles. Rotate keys via AWS Secrets Manager with automatic rotation.

High Enable AWS SSO with MFA enforcement
45 CFR § 164.312(d)
Detection
aws sso-admin list-permission-sets --instance-arn <arn>
Remediation

Migrate from individual IAM users to AWS IAM Identity Center. Enforce MFA via permission set conditions. Integrate with your IdP (Okta, Google Workspace, Azure AD).

High Block public access to S3 via account-level settings
45 CFR § 164.312(a)(1)
Detection
aws s3control get-public-access-block --account-id <account-id>
Remediation

Enable block public access at account level. Then enforce bucket-level ACLs denying public access.

Audit Logging

45 CFR § 164.312(b) requires hardware, software, and procedural mechanisms to record and examine activity in systems that contain or use ePHI.

Critical Enable CloudTrail on all regions with immutable log storage
45 CFR § 164.312(b)
Detection
aws cloudtrail describe-trails --query 'Trails[?IsMultiRegionTrail==`true`]'
Remediation

Enable CloudTrail with multi-region trails, log file validation, and SNS notifications for delivery failures. Write to an S3 bucket in a separate account with Object Lock (WORM).

Critical Enable CloudWatch log groups with retention and alerting
45 CFR § 164.312(b)
Detection
aws logs describe-log-groups --query 'logGroups[?retentionInDays==null]'
Remediation

Set log retention to at least 90 days (365 preferred). Create CloudWatch metric filters for failed console logins, IAM policy changes, and CloudTrail errors. Route alerts to SNS.

High Enable AWS Config with HIPAA conformance pack
45 CFR § 164.312(b)
Detection
aws configservice describe-configuration-recorders --query 'ConfigurationRecorders[].name'
Remediation

Enable AWS Config in all regions. Deploy the “Operational Best Practices for HIPAA Security” conformance pack from AWS Security Hub. Enable auto-remediation via Config rules.

High Enable GuardDuty for threat detection
45 CFR § 164.312(b)
Detection
aws guardduty list-detectors --query 'DetectorIds'
Remediation

Enable GuardDuty across all regions. Enable S3 and EKS protection. Route findings to a security incident channel (PagerDuty, Slack) within 15 minutes.

Data Encryption

45 CFR § 164.312(a)(2)(iv) requires encryption and decryption mechanisms for ePHI at rest and in transit.

Critical Enforce S3 encryption at rest for all buckets
45 CFR § 164.312(a)(2)(iv)
Detection
aws s3api get-bucket-encryption --bucket <bucket-name> --query 'ServerSideEncryptionConfiguration.Rules[].ServerSideEncryptionByDefault.SSEAlgorithm'
Remediation

Enable default encryption on all buckets (AES-256 or AWS KMS). Use customer-managed keys (CMK) for ePHI buckets — never use AWS managed keys for regulated data. Enforce via bucket policy and SCP.

Critical Enforce TLS 1.2+ for all data in transit
45 CFR § 164.312(e)(2)(ii)
Detection
aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme==`internet-facing`].LoadBalancerArn'
Remediation

Set ALB/ELB security policy to TLS 1.2 minimum. Enforce CloudFront minimum viewer protocol to HTTPS. Use AWS WAF with AWSManagedRulesCommonRuleSet to block non-compliant clients.

High Use AWS KMS CMK with annual key rotation
45 CFR § 164.312(a)(2)(iv)
Detection
aws kms describe-key --key-id <key-id> --query 'KeyMetadata.KeyRotationEnabled'
Remediation

Create CMKs for each data classification level. Enable automatic key rotation (annual). Store key metadata in Secrets Manager. Never use plain text keys in Lambda or EC2 user data.

High Enable RDS encryption at rest
45 CFR § 164.312(a)(2)(iv)
Detection
aws rds describe-db-instances --query 'DBInstances[?!StorageEncrypted]'
Remediation

Enable RDS encryption at creation time (or restore from snapshot with encryption). Use KMS CMK for RDS. Ensure automated backups inherit encryption. For Aurora, verify cluster-level encryption.

Medium Enable DynamoDB encryption at rest
45 CFR § 164.312(a)(2)(iv)
Detection
aws dynamodb describe-table --table-name <name> --query 'Table.SSEDescription.Status'
Remediation

Enable SSE with KMS for all DynamoDB tables. Set item-level encryption for PHI fields via application-layer encryption as defense-in-depth.

Data Integrity

45 CFR § 164.312(c)(1) requires policies and procedures to protect ePHI from improper alteration or destruction.

Critical Enable S3 Object Lock with WORM configuration
45 CFR § 164.312(c)(1)
Detection
aws s3api get-object-lock-configuration --bucket <bucket-name> --query 'ObjectLockConfiguration.Rule.DefaultRetention'
Remediation

Enable S3 Object Lock in compliance mode on ePHI buckets with a 90-day minimum retention. Enable S3 Versioning. Test object recovery to ensure backup integrity.

High Use AWS Backup for automated cross-region backups
45 CFR § 164.308(d)(1)
Detection
aws backup list-backup-plans --query 'BackupPlans[].BackupPlanId'
Remediation

Create an AWS Backup plan with daily incremental, weekly full, and 90-day retention for ePHI data stores. Enable cross-region copy. Test restores quarterly.

High Enable EBS snapshot encryption and restrict sharing
45 CFR § 164.312(c)(1)
Detection
aws ec2 describe-snapshots --owner-ids self --query 'Snapshots[?Encrypted==`false`]'
Remediation

Only launch instances with encrypted EBS volumes. Use KMS CMK for snapshots. Block public and cross-account snapshot sharing. Use tag-based resource policies.

Transmission Security

45 CFR § 164.312(e) requires technical security measures to guard against unauthorized access to ePHI transmitted over networks.

Critical Enforce VPC endpoint policies for private S3 access
45 CFR § 164.312(e)(1)
Detection
aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[?ServiceName==`com.amazonaws.us-east-1.s3`]'
Remediation

Create VPC endpoints for S3 and DynamoDB. Apply deny-by-default endpoint policy allowing only your account. Route all ePHI traffic through the endpoint — no public internet path.

High Configure RDS in private subnets with no public exposure
45 CFR § 164.312(e)(1)
Detection
aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible==`true`]'
Remediation

Launch all RDS instances in private subnets across 3 AZs. Use RDS Proxy for Lambda connections. Verify no security group rules allow 0.0.0.0/0 on database ports.

Risk Analysis & Management

45 CFR § 164.308(a)(1) requires an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Critical Conduct and document enterprise-wide risk analysis
45 CFR § 164.308(a)(1)(ii)(A)
Remediation

Map all systems that store or process ePHI. Inventory IAM users/roles, S3 buckets with PHI, RDS instances, and Lambda functions processing PHI. Store risk analysis documentation in version-controlled repository.

Enforcement context

This is the most common HIPAA violation. Northeast Radiology’s $350K settlement was entirely about never completing an enterprise-wide risk analysis.

Critical Implement risk management plan with tracked remediation
45 CFR § 164.308(a)(1)(ii)(B)
Remediation

Create a remediation plan in AWS Systems Manager Incident Manager or a ticketing system. Assign severity scores based on likelihood × impact. Track mean time to remediate (MTTR). Review monthly.

High Perform quarterly access reviews and revoke stale permissions
45 CFR § 164.312(a)(3)
Detection
aws iam list-users --query 'Users[?PasswordLastUsed==null]'
Remediation

Run quarterly IAM access reviews. Remove unused users, roles, and access keys. Enforce 90-day access key rotation via SCP. Disable inactive users immediately upon role departure.

Incident Response

45 CFR § 164.308(a)(6) requires policies and procedures to address security incidents.

Critical Document and test incident response plan annually
45 CFR § 164.308(a)(6)
Remediation

Write runbooks for ransomware detection, unauthorized IAM access, ePHI exfiltration, and CloudTrail log tampering. Include escalation matrix, legal notification requirements (45 CFR § 164.400), and HHS breach reporting timelines (within 60 days of discovery). Run tabletop exercises quarterly.

High Route GuardDuty findings to PagerDuty/Slack within 15 minutes
45 CFR § 164.308(a)(6)(i)
Remediation

Configure GuardDuty SNS subscription filter for Critical/High findings to PagerDuty. Use CloudWatch Event Rule to trigger alerts automatically.

High Preserve log evidence immutably
45 CFR § 164.312(b)
Remediation

Configure CloudTrail to write to an S3 bucket with Object Lock (compliance mode, 1-year retention). Use CloudTrail Lake for 90-day queryable retention. Do not allow deletions of log objects by any IAM principal.

Business Associate Management

45 CFR § 164.308(b) and § 164.314 require documented agreements with business associates who handle ePHI.

High Sign BAAs before onboarding any PHI workload
45 CFR § 164.308(b)
Remediation

Execute AWS BAA via AWS Artifact → Agreements → Business Associate Addendum. Apply to all relevant accounts in your AWS Organization. For downstream vendors, require BAAs before granting data access.

High Inventory all downstream business associates touching PHI
45 CFR § 164.314(a)(1)
Remediation

Maintain a BAA registry with vendor name, data shared, BAA execution date, expiration, and contact. Review annually. Trigger renewal 90 days before expiration.

Medium Validate AWS HIPAA-eligible service scope for each workload
45 CFR § 164.312
Remediation

Before using a new AWS service with ePHI, verify it appears on the current HIPAA-eligible services list. If not listed, architect around it or contact AWS.

BAA Gotchas — What Breaks Compliance Silently

1. Using non-HIPAA-eligible AWS services with ePHI.

The AWS BAA covers only HIPAA-eligible services. If you process ePHI through Lightsail, Amplify, or Chime, you're out of compliance — even with a signed BAA. This is the most common silent failure.

2. Assuming BAA signature = compliance.

The BAA is a legal prerequisite, not a technical configuration. Northeast Radiology’s $350K settlement didn’t involve an unsigned BAA — it involved no enterprise risk analysis and no asset inventory.

3. Mixing environments without account-level separation.

ePHI workloads in the same account as non-HIPAA workloads can accidentally route PHI through non-eligible services. Use AWS Organizations to create a dedicated HIPAA OU and account.

4. Log gaps during incident response.

CloudTrail must be logging all admin actions before the incident begins. If logging was disabled, you cannot produce the evidence OCR requires.

5. Key management gaps.

AWS-managed KMS keys are acceptable, but for high-sensitivity ePHI, customer-managed keys with restricted key policies are required. Never store encryption keys in plaintext environment variables or Lambda function code.

6. Lambda environment variables containing PHI.

Lambda environment variables are not encrypted by default. If your function stores ePHI in environment variables, that PHI is in plaintext. Use Secrets Manager or Parameter Store with encryption.

Continuous Monitoring vs. Annual Audit

Most HIPAA-covered entities treat compliance as a one-time annual effort. OCR’s Risk Analysis Initiative — which has generated 7 enforcement actions since fall 2024 — was built specifically to catch organizations that file an outdated risk analysis and call it done.

The Security Rule at 45 CFR § 164.316(b)(2)(i) requires continuous evaluation: reviewing audit logs, access reports, and security incident tracking reports regularly.

Daily

GuardDuty findings review, CloudWatch log anomaly check

Weekly

AWS Config rules compliance dashboard review

Monthly

IAM access review, BAA scope review, key rotation verification

Quarterly

Pen test findings triage, incident response runbook review

Annually

Full enterprise risk analysis, OCR breach notification drill

Annual audits are lag indicators. Cloud-native monitoring catches the gap before OCR does.

Run the Free HIPAA Compliance Assessment

See how your AWS environment stacks up across 30+ HIPAA controls. Guardrail identifies your gaps in minutes, with remediation guidance mapped to 45 CFR § 164 requirements.

Run Free HIPAA Assessment →