Vendor compliance profile
AWS HIPAA, Amazon RDS, and BAA notes
AWS can support HIPAA-regulated workloads only under the AWS Business Associate Addendum, HIPAA-eligible services, and correct customer configuration. Do not process ePHI in non-eligible AWS services or accounts that are not governed by the appropriate AWS BAA and security controls.
HIPAA status signal
Conditional
BAA public signal
AWS BAA required
SOC 2 evidence signal
Public evidence
PHI warning: Cloud workloads can expose PHI through unsupported services, logs, backups, analytics, data lakes, support access, cross-region replication, IAM mistakes, or third-party marketplace products.
Search query answers
What is the AWS HIPAA eligible services list?
AWS maintains a HIPAA Eligible Services Reference that identifies AWS services that may be used for HIPAA-regulated workloads under the AWS BAA. Buyers still need to verify the current list, regions, architecture, logging, encryption, IAM, and downstream vendors.
Does AWS sign a BAA?
AWS provides a Business Associate Addendum path for customers handling PHI. The BAA does not make every AWS service or customer application HIPAA-ready; customers must use HIPAA-eligible services and configure the workload appropriately.
Is AWS HIPAA compliance automatic?
No. AWS operates under a shared responsibility model. HIPAA eligibility, BAA terms, service selection, region choice, encryption, access controls, logging, backups, incident response, and application design must be reviewed together.
Is Amazon RDS HIPAA compliant?
Amazon RDS is listed by AWS as a HIPAA-eligible service for supported database engines, but RDS is not automatically compliant for every workload. Customers still need an AWS BAA, eligible service scope, encryption, IAM, logging, backups, retention, and application-layer safeguards.
Can AWS be used as a HIPAA-compliant database?
AWS can be used to build database workloads for HIPAA-regulated applications when the database service is HIPAA eligible, the AWS BAA is in place, and the customer configures the architecture correctly. Unsupported services, logs, snapshots, exports, and analytics paths can still create PHI risk.
Which AWS database services are HIPAA eligible?
AWS publishes the current HIPAA Eligible Services Reference and services-in-scope list. Amazon RDS appears in that scope, but buyers should verify the current engine, region, account, backup, support, and downstream service coverage before storing PHI.
HIPAA, BAA, and SOC 2 summary
| HIPAA | AWS states that covered entities and business associates can use AWS for workloads involving PHI when the AWS BAA and HIPAA-eligible services requirements are satisfied. AWS also lists Amazon RDS in HIPAA BAA service scope, but customer architecture and configuration remain critical. |
|---|---|
| BAA | AWS customers handling PHI need the AWS Business Associate Addendum and should confirm the current HIPAA Eligible Services Reference before storing, processing, or transmitting ePHI. |
| SOC 2 | AWS makes compliance artifacts, including SOC reports, available through AWS compliance resources and AWS Artifact. Review the latest report scope for the exact services and regions used. |
| PHI risk | Cloud workloads can expose PHI through unsupported services, logs, backups, analytics, data lakes, support access, cross-region replication, IAM mistakes, or third-party marketplace products. |
| Category | HIPAA-Compliant Cloud, AWS, and Database Services |
| Last checked | 2026-05-26 |
| Confidence | High |
Public evidence and open questions
What public sources say
- AWS publishes HIPAA compliance materials for covered entities and business associates.
- AWS maintains a HIPAA Eligible Services Reference for services that may be used under the AWS BAA.
- AWS compliance artifacts, including SOC reports, are available through AWS compliance resources and AWS Artifact.
What remains unconfirmed
- Whether the customer's exact AWS account, region, services, Marketplace products, support path, and architecture are covered.
- Whether application logs, backups, analytics, observability tools, queues, exports, and data lakes keep ePHI inside HIPAA-eligible services.
- Whether the customer's own policies, workforce access, encryption, IAM, monitoring, retention, and incident response satisfy its obligations.
What it may be used for
- HIPAA-regulated SaaS infrastructure after the AWS BAA, HIPAA-eligible services, regions, and customer controls are verified.
- Amazon RDS database workloads where the selected engine and surrounding services remain inside AWS HIPAA BAA scope.
- Healthcare application backends that have documented encryption, IAM, network, audit logging, backup, retention, and incident response controls.
What not to use it for
- Processing ePHI in AWS services that are not HIPAA eligible for the intended workflow.
- Using default IAM, logging, storage, backup, or network settings without a HIPAA security architecture review.
- Assuming AWS compliance covers your application, SaaS product, data model, workforce access, or downstream vendors.
What to verify with the vendor
- Whether the AWS BAA is accepted for the account or organization that will process, store, or transmit PHI.
- Whether every compute, database, storage, queue, logging, analytics, monitoring, backup, and support service is HIPAA eligible for the workload.
- Whether Amazon RDS engine, region, snapshots, read replicas, exports, logs, parameter groups, and backup retention are governed for PHI.
- Whether PHI is excluded from unsupported services, CloudWatch logs, support tickets, telemetry, object names, non-production data, and third-party integrations.
Safer alternatives and related profiles
Safer alternatives to consider
- Healthcare-specific hosting or managed infrastructure providers when the team cannot operate AWS controls directly.
- A managed HIPAA-ready application platform with explicit BAA scope for the app, database, logging, backups, and support path.
- Keeping PHI out of the AWS workload until architecture, BAA, service scope, and security operations are reviewed.
FAQ
What is the AWS HIPAA eligible services list?
AWS maintains a HIPAA Eligible Services Reference that identifies AWS services that may be used for HIPAA-regulated workloads under the AWS BAA. Buyers still need to verify the current list, regions, architecture, logging, encryption, IAM, and downstream vendors.
Does AWS sign a BAA?
AWS provides a Business Associate Addendum path for customers handling PHI. The BAA does not make every AWS service or customer application HIPAA-ready; customers must use HIPAA-eligible services and configure the workload appropriately.
Is AWS HIPAA compliance automatic?
No. AWS operates under a shared responsibility model. HIPAA eligibility, BAA terms, service selection, region choice, encryption, access controls, logging, backups, incident response, and application design must be reviewed together.
Is Amazon RDS HIPAA compliant?
Amazon RDS is listed by AWS as a HIPAA-eligible service for supported database engines, but RDS is not automatically compliant for every workload. Customers still need an AWS BAA, eligible service scope, encryption, IAM, logging, backups, retention, and application-layer safeguards.
Can AWS be used as a HIPAA-compliant database?
AWS can be used to build database workloads for HIPAA-regulated applications when the database service is HIPAA eligible, the AWS BAA is in place, and the customer configures the architecture correctly. Unsupported services, logs, snapshots, exports, and analytics paths can still create PHI risk.
Which AWS database services are HIPAA eligible?
AWS publishes the current HIPAA Eligible Services Reference and services-in-scope list. Amazon RDS appears in that scope, but buyers should verify the current engine, region, account, backup, support, and downstream service coverage before storing PHI.
Is AWS HIPAA compliant?
AWS can support HIPAA-regulated workloads only under the AWS Business Associate Addendum, HIPAA-eligible services, and correct customer configuration. Do not process ePHI in non-eligible AWS services or accounts that are not governed by the appropriate AWS BAA and security controls.
Will AWS sign a BAA?
AWS customers handling PHI need the AWS Business Associate Addendum and should confirm the current HIPAA Eligible Services Reference before storing, processing, or transmitting ePHI.
Can AWS be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Does SOC 2 mean AWS is HIPAA compliant?
No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.
What should buyers verify before using AWS with PHI?
Whether the AWS BAA is accepted for the account or organization that will process, store, or transmit PHI. Whether every compute, database, storage, queue, logging, analytics, monitoring, backup, and support service is HIPAA eligible for the workload. Whether Amazon RDS engine, region, snapshots, read replicas, exports, logs, parameter groups, and backup retention are governed for PHI. Whether PHI is excluded from unsupported services, CloudWatch logs, support tickets, telemetry, object names, non-production data, and third-party integrations.
Last checked and source notes
- Last checked
- 2026-05-26
- Confidence
- High
- Dataset rows
- 268 vendors
- AWS publishes HIPAA compliance guidance and says customers handling PHI should use HIPAA-eligible services under the AWS BAA.
- AWS's HIPAA Eligible Services Reference and services-in-scope pages list Amazon RDS / RDS engines in HIPAA BAA scope.
- AWS RDS security documentation describes RDS as HIPAA eligible, but this still depends on an executed BAA and customer-side controls.
- AWS HIPAA compliance
- AWS HIPAA eligible services
- AWS services in scope for HIPAA BAA
- Amazon RDS security and compliance