Vendor compliance profile
Is Amazon RDS HIPAA compliant?
Amazon RDS may support HIPAA-regulated database workloads only when used as an AWS HIPAA-eligible service under an accepted AWS BAA and correctly configured by the customer. RDS eligibility does not make the application, schema, logs, backups, exports, or connected services automatically HIPAA compliant.
HIPAA status signal
Conditional
BAA public signal
AWS BAA required
SOC 2 evidence signal
AWS public evidence
PHI warning: RDS workloads can expose PHI through schemas, free-text fields, query logs, slow logs, snapshots, read replicas, backups, exports, support bundles, analytics pipelines, and non-production copies.
Search query answers
Is Amazon RDS HIPAA compliant?
Amazon RDS appears in AWS's HIPAA Eligible Services Reference for supported engines, but it is not automatically compliant for every workload. Verify the AWS BAA, current service scope, engine, region, encryption, IAM, logging, snapshots, backups, support access, and connected services before storing PHI.
Is RDS HIPAA compliant for PostgreSQL, MySQL, or SQL Server?
AWS lists Amazon RDS in HIPAA-eligible scope for supported engines including PostgreSQL, MySQL, SQL Server, Oracle, Db2, and MariaDB. Buyers should still verify the current AWS list, selected region, account BAA, engine settings, encryption, logs, snapshots, and application data flows.
Can you store PHI in Amazon RDS?
Potentially, but only when the AWS BAA is in place, Amazon RDS is used within current HIPAA-eligible scope, and the customer governs encryption, access, logging, backups, retention, exports, non-production copies, monitoring, and all downstream systems that touch PHI.
Does AWS BAA make an RDS database HIPAA compliant?
No. The AWS BAA and RDS service eligibility are prerequisites, not a complete compliance outcome. The customer remains responsible for database architecture, application logic, PHI minimization, access controls, logging, backup lifecycle, incident response, and vendor review.
Are Amazon RDS logs and snapshots covered for PHI?
RDS logs, snapshots, replicas, exports, backups, monitoring, and support bundles must be reviewed as part of the same PHI workflow. They can expose PHI outside the intended database boundary if encryption, retention, access, region, and connected services are not governed.
Is Amazon Aurora HIPAA eligible like Amazon RDS?
AWS lists Amazon Aurora in the HIPAA Eligible Services Reference. Verify current AWS scope, selected engine and region, AWS BAA status, snapshots, logs, backups, support path, and surrounding services before treating Aurora as appropriate for PHI.
HIPAA, BAA, and SOC 2 summary
| HIPAA | AWS's HIPAA Eligible Services Reference lists Amazon Relational Database Service (Amazon RDS) as eligible for supported engines, subject to the shared responsibility model. This is service eligibility, not a blanket approval for every customer workload. |
|---|---|
| BAA | Customers processing PHI in Amazon RDS need the AWS Business Associate Addendum accepted for the relevant AWS account or organization and should verify that the selected RDS service, engine, region, and surrounding services are in current HIPAA scope. |
| SOC 2 | AWS makes compliance artifacts, including SOC reports, available through AWS compliance resources and AWS Artifact. Review report scope for Amazon RDS, AWS account structure, regions, and related services used by the workload. |
| PHI risk | RDS workloads can expose PHI through schemas, free-text fields, query logs, slow logs, snapshots, read replicas, backups, exports, support bundles, analytics pipelines, and non-production copies. |
| Category | HIPAA-Compliant Cloud, AWS, and Database Services |
| Last checked | 2026-06-15 |
| Confidence | High |
Public evidence and open questions
What public sources say
- AWS states that HIPAA-eligible services may create, receive, process, maintain, or transmit ePHI, but customers must configure those services consistent with HIPAA requirements.
- AWS's HIPAA Eligible Services Reference lists Amazon Aurora and Amazon Relational Database Service (Amazon RDS), with RDS limited to supported engines named by AWS.
- AWS says customers should only process, store, and transmit PHI in HIPAA-eligible services defined in the AWS BAA.
What remains unconfirmed
- Whether the buyer's exact AWS account, organization, region, support plan, RDS engine, and connected services are covered.
- Whether application logs, query logs, snapshots, read replicas, exports, backups, BI pipelines, staging databases, and support tickets can contain PHI.
- Whether customer-side IAM, encryption, key management, monitoring, retention, deletion, incident response, and workforce policies are sufficient.
What it may be used for
- HIPAA-regulated application databases only after AWS BAA acceptance, current RDS eligibility, selected engine/region review, and customer-side controls are documented.
- PHI-minimized production workloads where encryption, IAM, logging, backups, retention, deletion, and incident response are governed.
- Vendor and architecture review for teams comparing AWS-managed databases against healthcare-specific hosting or application platforms.
What not to use it for
- Storing PHI in RDS before the AWS BAA, current eligible-service scope, selected engine, region, and support paths are verified.
- Copying PHI into development, staging, analytics, logs, snapshots, or support tickets without the same governance as production.
- Assuming AWS service eligibility covers the customer's application, schema, workforce access, vendors, or downstream SaaS integrations.
What to verify with the vendor
- Whether the AWS BAA is accepted for the account or organization that owns the RDS workload.
- Whether the selected RDS engine, region, snapshots, read replicas, automated backups, exports, logs, monitoring, and support path remain in HIPAA-eligible scope.
- Whether encryption at rest, TLS, KMS key ownership, IAM, MFA, network isolation, database users, audit logging, retention, deletion, and break-glass access are governed.
- Whether PHI can appear in query text, slow logs, CloudWatch logs, performance traces, object names, BI exports, staging data, support screenshots, or third-party tools.
Safer alternatives and related profiles
Safer alternatives to consider
- Amazon Aurora only after current AWS HIPAA eligibility, BAA, engine, region, logs, backups, and surrounding architecture are verified.
- A healthcare-specific hosting or managed database provider when the team cannot operate AWS shared-responsibility controls directly.
- A HIPAA-focused application platform where database, logs, backups, support, and operational controls are covered together.
FAQ
Is Amazon RDS HIPAA compliant?
Amazon RDS appears in AWS's HIPAA Eligible Services Reference for supported engines, but it is not automatically compliant for every workload. Verify the AWS BAA, current service scope, engine, region, encryption, IAM, logging, snapshots, backups, support access, and connected services before storing PHI.
Is RDS HIPAA compliant for PostgreSQL, MySQL, or SQL Server?
AWS lists Amazon RDS in HIPAA-eligible scope for supported engines including PostgreSQL, MySQL, SQL Server, Oracle, Db2, and MariaDB. Buyers should still verify the current AWS list, selected region, account BAA, engine settings, encryption, logs, snapshots, and application data flows.
Can you store PHI in Amazon RDS?
Potentially, but only when the AWS BAA is in place, Amazon RDS is used within current HIPAA-eligible scope, and the customer governs encryption, access, logging, backups, retention, exports, non-production copies, monitoring, and all downstream systems that touch PHI.
Does AWS BAA make an RDS database HIPAA compliant?
No. The AWS BAA and RDS service eligibility are prerequisites, not a complete compliance outcome. The customer remains responsible for database architecture, application logic, PHI minimization, access controls, logging, backup lifecycle, incident response, and vendor review.
Are Amazon RDS logs and snapshots covered for PHI?
RDS logs, snapshots, replicas, exports, backups, monitoring, and support bundles must be reviewed as part of the same PHI workflow. They can expose PHI outside the intended database boundary if encryption, retention, access, region, and connected services are not governed.
Is Amazon Aurora HIPAA eligible like Amazon RDS?
AWS lists Amazon Aurora in the HIPAA Eligible Services Reference. Verify current AWS scope, selected engine and region, AWS BAA status, snapshots, logs, backups, support path, and surrounding services before treating Aurora as appropriate for PHI.
Will Amazon RDS sign a BAA?
Customers processing PHI in Amazon RDS need the AWS Business Associate Addendum accepted for the relevant AWS account or organization and should verify that the selected RDS service, engine, region, and surrounding services are in current HIPAA scope.
Can Amazon RDS be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Does SOC 2 mean Amazon RDS is HIPAA compliant?
No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.
What should buyers verify before using Amazon RDS with PHI?
Whether the AWS BAA is accepted for the account or organization that owns the RDS workload. Whether the selected RDS engine, region, snapshots, read replicas, automated backups, exports, logs, monitoring, and support path remain in HIPAA-eligible scope. Whether encryption at rest, TLS, KMS key ownership, IAM, MFA, network isolation, database users, audit logging, retention, deletion, and break-glass access are governed. Whether PHI can appear in query text, slow logs, CloudWatch logs, performance traces, object names, BI exports, staging data, support screenshots, or third-party tools.
Last checked and source notes
- Last checked
- 2026-06-15
- Confidence
- High
- Dataset rows
- 268 vendors
- Reviewed AWS HIPAA compliance materials and HIPAA Eligible Services Reference on 2026-06-15.
- AWS's HIPAA Eligible Services Reference was marked Last Updated April 13, 2026 when reviewed.
- ComplySaaS did not verify a private AWS account, AWS Artifact agreement, architecture, or customer-specific BAA status.
- AWS HIPAA compliance
- AWS HIPAA Eligible Services Reference
- Amazon RDS security and compliance