Vendor compliance profile
Is AWS HIPAA compliant?
AWS can support HIPAA-regulated workloads only under the AWS Business Associate Addendum, HIPAA-eligible services, and correct customer configuration. Do not process ePHI in non-eligible AWS services or accounts that are not governed by the appropriate AWS BAA and security controls.
HIPAA status signal
Conditional
BAA public signal
AWS BAA required
SOC 2 evidence signal
Public evidence
PHI warning: Cloud workloads can expose PHI through unsupported services, logs, backups, analytics, data lakes, support access, cross-region replication, IAM mistakes, or third-party marketplace products.
HIPAA, BAA, and SOC 2 summary
| HIPAA | AWS states that covered entities and business associates can use the AWS environment to process, maintain, and store PHI, but customers should use HIPAA-eligible services and follow the shared responsibility model. |
|---|---|
| BAA | AWS customers handling PHI need the AWS Business Associate Addendum and should confirm the current HIPAA Eligible Services Reference before storing, processing, or transmitting ePHI. |
| SOC 2 | AWS makes compliance artifacts, including SOC reports, available through AWS compliance resources and AWS Artifact. Review the latest report scope for the exact services and regions used. |
| Category | HIPAA-Compliant Cloud and Database Services |
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Processing ePHI in AWS services that are not HIPAA eligible for the intended workflow.
- Using default IAM, logging, storage, backup, or network settings without a HIPAA security architecture review.
- Assuming AWS compliance covers your application, SaaS product, data model, workforce access, or downstream vendors.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
FAQ
Is AWS HIPAA compliant?
AWS can support HIPAA-regulated workloads only under the AWS Business Associate Addendum, HIPAA-eligible services, and correct customer configuration. Do not process ePHI in non-eligible AWS services or accounts that are not governed by the appropriate AWS BAA and security controls.
Will AWS sign a BAA?
AWS customers handling PHI need the AWS Business Associate Addendum and should confirm the current HIPAA Eligible Services Reference before storing, processing, or transmitting ePHI.
Can AWS be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Last checked and source notes
- Last checked
- 2026-04-30
- Confidence
- High
- Dataset rows
- 267 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- AWS HIPAA compliance
- AWS HIPAA eligible services