AEO compliance guide

HIPAA-Compliant Database Requirements for SaaS Teams

A database is not HIPAA compliant by itself. A HIPAA-ready database workflow requires a covered vendor or cloud service, appropriate BAA scope, encryption, identity controls, audit logging, backup governance, retention, deletion, and policies for every application, export, support, and analytics path that touches PHI.

Last updated: 2026-05-26

Direct answer

A practical HIPAA database checklist for SaaS teams evaluating AWS, Amazon RDS, BAA scope, encryption, logs, backups, replicas, and PHI storage.

Key takeaways

  • Start with the data lifecycle: write, read, log, replicate, back up, restore, export, support, and delete.
  • Amazon RDS appears in AWS HIPAA BAA scope, but buyers still need the AWS BAA and correct customer configuration.
  • Encryption is necessary in many designs, but it does not replace access control, audit logs, retention, incident response, or vendor scope review.
  • Non-production databases, BI tools, query logs, and support tickets are common places where PHI leaves the governed system.

Definition snippets

HIPAA-compliant database

A database workflow that stores or processes PHI only under appropriate agreements, eligible service scope, security controls, access governance, auditability, backup controls, and organizational policies.

HIPAA-eligible cloud service

A cloud service the provider lists as eligible or in scope for HIPAA-regulated workloads, usually subject to a BAA and the customer's shared-responsibility controls.

Database PHI leakage

PHI exposure outside the intended table or application, including logs, snapshots, read replicas, exports, support diagnostics, analytics pipelines, and development copies.

Comparison table

TopicPractical meaningSaaS review note
Amazon RDSAWS lists Amazon RDS / RDS engines in HIPAA BAA scope and RDS security materials describe RDS as HIPAA eligible.Verify the AWS BAA, selected engine, region, encryption, IAM, snapshots, replicas, logs, exports, support, and connected services.
General managed databaseA managed database can reduce infrastructure work but does not automatically make a SaaS workflow appropriate for PHI.Confirm BAA coverage, eligible-service documentation, support boundaries, backup lifecycle, auditability, and deletion behavior.
Self-managed databaseThe organization controls more of the stack and therefore owns more patching, hardening, monitoring, and evidence work.Document operating system security, patching, encryption, access control, monitoring, backups, recovery, and incident response ownership.
Analytics or logging databaseLogs and analytics often receive copied PHI or identifiers without the same review as the main application database.Keep PHI out unless the analytics, logging, data lake, warehouse, export, and retention path are covered and governed.

Verification checklist

  • Confirm whether the vendor or cloud provider will sign a BAA for the exact account, service, region, support path, and workflow.
  • Verify the database engine or service is currently listed as HIPAA eligible or otherwise covered for PHI use.
  • Enable and document encryption at rest, encryption in transit, key management, IAM, MFA, network segmentation, and least-privilege access.
  • Review query logs, slow logs, audit logs, error traces, support bundles, telemetry, and observability tools for accidental PHI.
  • Control snapshots, backups, read replicas, restores, exports, disaster recovery, retention, deletion, and non-production copies.
  • Map every downstream system that receives database data, including BI tools, warehouses, CRMs, AI tools, spreadsheets, and support systems.

Is Amazon RDS HIPAA compliant?

AWS lists Amazon RDS in HIPAA BAA service scope and RDS security materials describe the service as HIPAA eligible. That does not mean every RDS workload is automatically compliant. Buyers should verify the AWS BAA, current eligible-service scope, engine, region, encryption, logs, snapshots, replicas, exports, and connected services.

What a database checklist should cover

A HIPAA database review should cover vendor agreement, covered service scope, data classification, encryption, key ownership, IAM, privileged access, network controls, audit logging, backup lifecycle, retention, deletion, restore testing, and incident response.

Common SaaS database mistakes

Teams often review the production database but miss PHI in application logs, query traces, CSV exports, BI dashboards, seed data, staging environments, support screenshots, data lakes, webhooks, and long-lived backup snapshots.

SOC 2 is supporting evidence, not HIPAA approval

SOC 2 evidence can help evaluate security controls for a database provider or SaaS platform, but it does not replace BAA scope, HIPAA-eligible service verification, PHI workflow review, or qualified legal and compliance judgment.

FAQ

Is Amazon RDS HIPAA compliant?

Amazon RDS is listed by AWS as HIPAA eligible / in scope for HIPAA BAA, but the customer must have the AWS BAA in place and configure the workload appropriately. Verify engine, region, encryption, logs, snapshots, backups, support, and connected services before PHI use.

What makes a database HIPAA compliant?

The product alone does not make a database compliant. The workflow needs appropriate agreements, covered service scope, encryption, access controls, audit logs, backup governance, retention, deletion, incident response, and policies for users and downstream systems.

Can you store PHI in AWS RDS?

Potentially, if Amazon RDS is used under an executed AWS BAA, the current RDS service and engine are in HIPAA scope, and the surrounding architecture, logs, backups, exports, and access controls are governed for PHI.

Does database encryption make PHI storage HIPAA compliant?

No. Encryption is only one control. You also need agreement scope, identity and access controls, auditability, backup controls, retention, deletion, monitoring, incident response, and review of all systems that receive or expose database data.

Can development databases contain PHI?

Avoid PHI in development, testing, and staging environments unless those environments are covered, secured, logged, retained, and governed like production. Prefer synthetic or properly de-identified test data.

Related compliance research

Cloud and database

hipaa compliant database

Security and GRC

best hipaa compliance software

What Is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a HIPAA contract between a covered entity and a vendor that may create, receive, maintain, or transmit PHI. A B...

Can You Store PHI in SaaS Tools?

You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support ...

How to Evaluate a HIPAA-Compliant App Builder

A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, int...

HIPAA Firewall Requirements for SaaS Teams

HIPAA does not name one universal firewall product that makes a system compliant. Teams should evaluate network safeguards, access controls, logg...

AWS

HIPAA: Conditional | SOC 2: Public evidence

Google Workspace

HIPAA: Conditional | SOC 2: Public evidence

Airtable

HIPAA: Conditional | SOC 2: Public evidence

Methodology and source notes

Methodology

  • Treat database compliance as a full data lifecycle and workflow review, not a product label.
  • Use official cloud-provider eligible-service and service-scope documentation before drawing conclusions.
  • Keep claims conditional and require direct vendor, legal, and compliance verification before PHI use.

Source notes