HIPAA Compliance on AWS
Last updated: March 2026
TL;DR — We're Already HIPAA-Aligned
Good news: the Bike4Mind / VibesWire / Lumina5 AWS fabric that Starlight Practice is built on already uses 18 HIPAA-eligible AWS services. There is no special "healthcare cloud" or separate account type needed — just sign a free BAA via AWS Artifact (2 minutes, self-service) and configure encryption + audit logging.
The B4M stack (Lumina5) runs a production 35-person AI platform on the same serverless architecture we're using for Starlight. Every core service is HIPAA-eligible:
B4M/Lumina5 Services → HIPAA Eligibility
| AWS Service | How B4M Uses It | How Starlight Uses It | HIPAA Eligible |
|---|---|---|---|
| Lambda | 21+ function types (MCP, queues, crons, WebSocket) | API handlers, auth triggers, business logic | ✅ Yes |
| DynamoDB | State/session management | Patients, Schedules, Payments, Users tables | ✅ Yes |
| API Gateway | WebSocket (10+ routes) + REST | REST API for all endpoints | ✅ Yes |
| Cognito | (VibesWire pattern) Google + B4M OAuth | Google + B4M OAuth, user management | ✅ Yes |
| S3 | 7 buckets (files, images, exports, email) | Patient documents, backups, audit logs | ✅ Yes |
| SQS | 22 queues + 22 DLQs (file processing, AI, email) | Async processing (future: email, notifications) | ✅ Yes |
| SNS | Alert notifications (25+ alarm topics) | Operational alerts | ✅ Yes |
| EventBridge | Event bus (Stripe, email, analytics) | Event-driven workflows | ✅ Yes |
| CloudFront | CDN for static assets | Frontend delivery | ✅ Yes |
| CloudWatch | 25+ alarms, custom metrics, log groups | Application logging, health monitoring | ✅ Yes |
| CloudTrail | API audit logging (compliance scans) | HIPAA-required audit trail | ✅ Yes |
| AWS Config | Configuration compliance rules | HIPAA conformance pack | ✅ Yes |
| KMS | SQS encryption, S3 SSE | PHI encryption at rest | ✅ Yes |
| Secrets Manager | 50+ secrets (API keys, DB URIs, JWT) | OAuth credentials, API keys | ✅ Yes |
| IAM | Granular per-function permissions | Least-privilege access control | ✅ Yes |
| SES | Email ingestion pipeline | Patient communications (future) | ✅ Yes |
| Bedrock | LLM inference (Claude models, image gen, research) | AI clinical decision support (future) | ✅ Yes |
| Transcribe | Voice session handling | Telehealth transcription (future) | ✅ Yes |
| VPC | Private/public subnets, NAT gateway | Network isolation for PHI | ✅ Yes |
18 of 18 AWS services = HIPAA eligible. The only non-AWS component in B4M's stack that needs separate attention is MongoDB Atlas (requires its own BAA with MongoDB Inc.).
What's Already Done vs. What Needs Configuration
| Requirement | Status | Action Needed |
|---|---|---|
| AWS BAA signed | ⬜ Not yet | Sign via AWS Artifact (free, 2 min) |
| DynamoDB encryption at rest | ✅ Default since 2018 | Upgrade to customer-managed KMS keys for audit trail |
| TLS 1.2+ in transit | ✅ Default on all AWS services | None |
| Cognito authentication | ✅ Already configured | Add MFA requirement for PHI access |
| CloudTrail audit logging | ⬜ Not yet | Enable in all regions, 6-year retention |
| CloudWatch log encryption | ⬜ Not yet | Enable KMS encryption on log groups |
| AWS Config HIPAA pack | ⬜ Not yet | Deploy pre-built HIPAA conformance pack |
| WAF on API Gateway | ⬜ Not yet | Attach WAF rules for request filtering |
| VPC for Lambda | ⬜ Optional | Place PHI-handling Lambdas in private subnets |
| GuardDuty threat detection | ⬜ Not yet | Enable (adds ~$10-50/mo) |
Bottom line: Our architecture is HIPAA-aligned by design. The remaining work is configuration, not re-architecture. Estimated infrastructure overhead: $50-200/month on top of normal AWS costs.
B4M Gen AI Services for Starlight
Starlight Practice will use Bike4Mind's existing AI infrastructure for clinical intelligence features. Amazon Bedrock is HIPAA-eligible (added 2024), so AI-powered features like:
- Clinical decision support (RAG over PubMed/PMC)
- SOAP note generation
- Wellness predictions
- Smart template generation
- Parent question answering
...can all flow through B4M's Bedrock integration while remaining HIPAA-compliant.
B4M/Lumina5 Security Operations — Already Production-Grade
Beyond HIPAA-eligible services, the B4M/Lumina5 platform has a comprehensive security operations infrastructure built by Alan that Starlight Practice inherits. This is essentially a SOC-in-a-box — a single pane of glass for security operations inside the admin dashboard.
Security Dashboard (Single Pane of Glass)
The Lumina5 admin includes a unified SecurityDashboard with:
- Overall security score (0-100) with deterministic scoring algorithm
- Six scan categories with pass/warning/fail status indicators
- Critical/High/Medium/Low finding counts per category
- Configurable scan schedules per type (default: Sunday 2 AM UTC)
Automated Security Scanning (6 Types)
| Scan Type | Tool | What It Checks | Frequency |
|---|---|---|---|
| Web (OWASP ZAP) | ZAP | Dynamic application security testing — OWASP Top 10 | Scheduled (weekly default) |
| Code (Semgrep) | Semgrep | Static code analysis for vulnerabilities | Scheduled |
| Packages | Dependency scanning | Third-party package vulnerabilities | Scheduled |
| Secrets (GitLeaks) | GitLeaks | Secret detection in codebase | Scheduled |
| Cloud (Custom AWS) | Custom Lambda | AWS infrastructure baseline checks (root MFA, S3 public access, encryption) | Daily |
| WAF | AWS WAF | Web application firewall configuration | Scheduled |
Scans are orchestrated via cron jobs that trigger GitHub Actions workflows (web/code/packages/secrets) or run Lambda directly (cloud scans).
Deterministic Security Scoring
Each category has a custom scoring algorithm:
| Category | Algorithm | Scoring Logic |
|---|---|---|
| Web (OWASP) | Linear + Log dampening | Critical/High linear penalty; Medium/Low log2(1+n) |
| Code (Semgrep) | Linear + Capped | Critical/High linear; Medium/Low capped |
| Packages | Per-package dedup | Only unique vulnerable packages count |
| Secrets | Binary posture bands | Critical/High → 0-40; Medium/Low → 60-85; None → 100 |
| Cloud/WAF | Linear penalty | 100 - (critical x 30 + high x 20 + medium x 10 + low x 5) |
Status: fail (critical/high findings or score <50) | warning (medium/low or 50-85) | pass (score ≥85, zero findings)
Threat Detection & Alerting
| Feature | How It Works |
|---|---|
| Suspicious login detection | 5-minute alert processing cycle. Detects multiple failed attempts, username enumeration, IP patterns. Risk levels: low/medium/high. |
| IP blocking | Manual + automatic blocking with 10-minute expiration windows. Admin API for blocklist management. |
| API key anomaly detection | Daily baseline calculation from 30-day history. Detects geographic oddities, rate deviations, unusual patterns. |
| AI behavioral analysis | Claude-powered security posture assessment per user. Analyzes failed logins, suspicious patterns, blocked IPs, API key activity. Returns risk score + recommendations. |
| Rate limit monitoring | Per-integration rate limit tracking. Warning at 80% usage, critical on throttle (429). 30-day TTL snapshots. |
| Circuit breaker alarms | 5 failures in 2 minutes triggers real-time outage detection per integration (Slack, GitHub, Jira, Confluence). |
Operational Monitoring (25+ CloudWatch Alarms)
| Alarm Category | Alarms |
|---|---|
| DLQ Health | 22 queues monitored — message count + oldest message age. Unified dashboard. |
| Integration Health | Per-integration: failure count, P95 latency, all-down detection |
| Rate Limits | Warning (>80%) and critical (throttled) per integration |
| LiveOps Triage | Triage failures, error volume (>50/run), P0/P1 issues, consecutive failures |
| Processing | Generation failures, duration, cost per operation |
SRE & LiveOps Automation
- SRE Agent: Automated incident response — analyzes errors, suggests fixes, dispatches solutions via two-queue system (analysis → fixes)
- LiveOps Triage: 6-hour dispatcher fetches events from Slack/GitHub/Jira, triages by severity, creates tracking tickets
- Log-to-Slack Pipeline: Real-time error streaming from all Lambda functions to Slack
- Webhook Audit Logging: 90-day retention of all webhook deliveries with signature verification, processing duration, error details
AWS Well-Architected Framework Compliance
Lumina5 has documented answers to AWS Well-Architected Framework review questions:
| Pillar | Questions Answered |
|---|---|
| Security | SEC1 — Identity & Access Management |
| Reliability | REL5 — Graceful Degradation, REL10 — Bulkhead Architecture, REL12 — Testing & Validation |
| Operational Excellence | OPS4 — Observability & KPIs, OPS4.4 — Dependency Telemetry, OPS10 series — Alerting & Automation |
Comprehensive Security Documentation (24+ pages)
Including: backup & disaster recovery runbook, incident response procedures, control objectives framework, data classification, penetration testing plan, OWASP ZAP practices, WAF setup guide, Prowler AWS auditing, CDI InfoSec package (executive summary, technical deep dive, risk assessment memo, control mapping).
Starlight Practice doesn't need to build security operations from scratch. The B4M/Lumina5 platform provides a production-grade security foundation including automated OWASP scanning, cloud compliance checks, threat detection, rate limiting, and a complete admin security dashboard. As Starlight deploys on the same AWS fabric, these capabilities extend naturally to the healthcare workload.
HIPAA Phased Approach (from Business Plan)
- Phase 1 (Months 1-6): Practice management only — no PHI. Pipeline, comms, billing analytics. No HIPAA requirements yet.
- Phase 2 (Months 7-9): Sign BAA, enable encryption + audit logging, deploy HIPAA Config pack. Required before clinical charting.
- Phase 3 (Month 12+): SOC 2 Type I certification. Annual pen testing. Employee HIPAA training.
Deep Dive Reference
Everything below is detailed reference for each HIPAA requirement and AWS service configuration.
1. AWS HIPAA-Eligible Services
AWS offers 150+ HIPAA-eligible services covered under the AWS Business Associate Addendum (BAA). Customers may use any AWS service in a BAA-designated account, but must only process, store, and transmit PHI using HIPAA-eligible services.
Key HIPAA-Eligible Services (Relevant to Starlight)
| Service | Category | Notes |
|---|---|---|
| Amazon DynamoDB | Database | Encryption at rest enabled by default since 2018 |
| Amazon Cognito | Authentication | HIPAA-eligible since 2017 |
| AWS Lambda | Compute | Serverless, must use encrypted connections |
| Amazon API Gateway | Networking | PHI in headers/URLs only to eligible services |
| Amazon S3 | Storage | SSE-S3 or SSE-KMS required for PHI |
| Amazon CloudFront | CDN | HIPAA-eligible with HTTPS enforcement |
| Amazon SQS | Messaging | Server-side encryption required |
| Amazon SNS | Messaging | Encryption required |
| AWS KMS | Security | Key management for PHI encryption |
| Amazon CloudWatch | Monitoring | Log encryption supported |
| AWS CloudTrail | Audit | API activity logging |
| AWS WAF | Security | Web application firewall |
| Amazon RDS | Database | Multi-AZ with encryption |
| Amazon DocumentDB | Database | MongoDB-compatible, HIPAA-eligible |
| Amazon SES | HIPAA-eligible for notifications | |
| AWS Step Functions | Orchestration | Workflow coordination |
| AWS Secrets Manager | Security | Secret rotation and management |
| Amazon ECS / Fargate | Containers | HIPAA-eligible compute |
| AWS Systems Manager | Management | Parameter Store for config |
| Amazon Bedrock | AI/ML | Generative AI, HIPAA-eligible (added 2024) |
| Amazon Comprehend Medical | AI/ML | NLP for medical text extraction |
| AWS HealthLake | Healthcare | FHIR-compliant data store |
For the complete and current list, see the AWS HIPAA Eligible Services Reference.
2. AWS for Health — Healthcare Landing Zone
Unlike AWS GovCloud (which is a separate, isolated region for government workloads), there is no separate "Healthcare Cloud" region or account type. Instead, AWS provides:
Landing Zone Accelerator (LZA) for Healthcare
The Landing Zone Accelerator for Healthcare is an industry-specific deployment that provides:
- Pre-configured compliance guardrails aligned with HIPAA Security Rule
- Detective guardrails via AWS Config conformance packs (Operational Best Practices for HIPAA Security)
- Multi-account governance using AWS Control Tower
- 35+ AWS services pre-configured for healthcare compliance
- Compliance frameworks: HIPAA, NCSC, ENS High, C5
AWS HealthLake
A fully managed, HIPAA-eligible service for storing, transforming, and analyzing health data in FHIR R4 format. Designed specifically for healthcare organizations.
AWS Health Data Accelerator
A newer program to fast-track healthcare AI roadmaps, providing reference architectures and tooling for healthcare data pipelines.
Key Difference from GovCloud
| Aspect | AWS GovCloud | AWS Healthcare |
|---|---|---|
| Separate region | Yes (us-gov-west-1, us-gov-east-1) | No |
| Separate account type | Yes | No — uses standard AWS accounts with BAA |
| Compliance focus | FedRAMP, ITAR, DoD | HIPAA, HITRUST via configuration |
| Pricing premium | ~5-25% premium | No region premium |
| Setup method | Separate registration | BAA via AWS Artifact + configuration |
3. Recommended Architecture for Storing PHI
Reference Architecture (Serverless)
Internet
|
CloudFront (HTTPS + WAF)
|
API Gateway (REST API, TLS 1.2+)
|
Lambda Functions (VPC-attached)
|
+--- DynamoDB (SSE-KMS, encrypted at rest)
+--- S3 (SSE-KMS, bucket policies, versioning)
+--- Cognito (authentication, MFA)
|
CloudTrail + CloudWatch (audit logging)
|
KMS (key management for all encryption)
Architecture Principles
- Network Isolation: Use VPCs with private subnets for Lambda functions accessing PHI
- Encryption Everywhere: All data at rest and in transit must be encrypted
- Least Privilege: IAM roles with minimum necessary permissions
- Audit Everything: CloudTrail for API calls, CloudWatch for application logs
- Defense in Depth: WAF + Security Groups + NACLs + IAM policies
- Data Classification: Tag resources containing PHI for automated compliance checks
- Backup and Recovery: Automated backups with encryption, tested recovery procedures
Shared Responsibility Model
| AWS Responsibility | Customer Responsibility |
|---|---|
| Physical security of data centers | Application-level encryption |
| Network infrastructure | IAM policies and access control |
| Hypervisor security | Security group configuration |
| Service availability | Data classification and handling |
| Managed service patching | Audit log monitoring and retention |
| Hardware decommissioning | Incident response procedures |
4. AWS Artifact — Signing the BAA
How to Sign the BAA
The BAA is signed electronically through AWS Artifact at no additional cost. The process takes less than 2 minutes:
- Sign in to the AWS Management Console
- Navigate to AWS Artifact → Agreements
- Choose the Account agreements tab (for a single account) or Organization agreements tab (for all accounts in an AWS Organization)
- Select the AWS Business Associate Addendum (BAA)
- Review the terms of the BAA
- Check "I agree to all these terms and conditions"
- Click Accept agreement
Important Notes
- No cost: AWS Artifact and the BAA are free
- Organization-wide BAA: The management account can accept a single BAA covering all member accounts
- Instant activation: Accepting the BAA instantly designates your account(s) for PHI use
- Self-service: No need to contact AWS sales or support
- Prerequisite: You must accept the BAA before storing or transmitting any PHI
What the BAA Covers
The BAA defines:
- AWS as a Business Associate under HIPAA
- Permitted uses and disclosures of PHI
- Required safeguards AWS implements
- Breach notification obligations
- Customer obligations (encryption, access controls, etc.)
5. Encryption Requirements
The AWS BAA requires customers to encrypt all PHI stored in or transmitted using HIPAA-eligible services, in accordance with HHS guidance.
Encryption at Rest
| Service | Encryption Method | Notes |
|---|---|---|
| DynamoDB | SSE with AWS-owned, AWS-managed, or customer-managed KMS keys | Enabled by default since 2018 |
| S3 | SSE-S3, SSE-KMS, or SSE-C | SSE-KMS recommended for audit trail |
| EBS | AES-256 via KMS | Must be explicitly enabled |
| RDS | AES-256 via KMS | Must be enabled at creation time |
| CloudWatch Logs | KMS encryption | Optional but recommended for PHI |
Recommendation: Use AWS KMS with customer-managed keys (CMKs) for all PHI storage. This provides:
- Centralized key management
- Automatic key rotation
- Full audit trail via CloudTrail (every key usage is logged)
- Granular access control via key policies
Encryption in Transit
| Scenario | Requirement |
|---|---|
| External traffic (internet) | TLS 1.2+ mandatory |
| Internal VPC traffic | TLS recommended for all PHI |
| API calls | HTTPS endpoints only |
| Database connections | SSL/TLS connections |
| VPN connections | IPsec VPN |
KMS Key Hierarchy
Customer Master Key (CMK) in KMS
|
+--- Data Encryption Key (DEK) for DynamoDB tables
+--- Data Encryption Key (DEK) for S3 buckets
+--- Data Encryption Key (DEK) for CloudWatch logs
+--- Data Encryption Key (DEK) for backups
Cost: KMS charges $1/month per CMK + $0.03 per 10,000 API calls. For most applications, this is minimal.
6. Audit Logging Requirements
HIPAA requires covered entities to implement audit controls. AWS provides several services for this.
CloudTrail (Mandatory)
CloudTrail records all API calls made in your AWS account.
Required Configuration:
- Enable CloudTrail in all regions
- Enable log file validation (tamper detection)
- Store logs in an S3 bucket with:
- Server-side encryption (SSE-KMS)
- S3 Object Lock / WORM policy (immutability)
- Versioning enabled
- Access logging enabled
- Integrate with CloudWatch Logs for real-time alerting
- Retention: HIPAA requires logs to be available for 6 years
CloudWatch (Recommended)
CloudWatch provides monitoring and alerting.
Required Configuration:
- CloudWatch Logs: Capture application logs from Lambda, ECS, etc.
- CloudWatch Alarms: Alert on suspicious activity:
- Unauthorized API calls
- Root account usage
- IAM policy changes
- Security group changes
- Console sign-in failures
- Log encryption: Enable KMS encryption for log groups containing PHI
- Retention: Set log retention to match your compliance policy (minimum 6 years for HIPAA)
AWS Config (Recommended)
AWS Config continuously evaluates resource configurations against compliance rules.
HIPAA Conformance Pack: AWS provides a pre-built conformance pack with rules including:
encrypted-volumes: EBS volumes must be encrypteddynamodb-table-encryption-enabled: DynamoDB encryption checks3-bucket-server-side-encryption-enabled: S3 encryption checkcloud-trail-encryption-enabled: CloudTrail log encryptioncloudtrail-enabled: CloudTrail must be activeiam-root-access-key-check: No root access keys
Additional Audit Tools
| Tool | Purpose |
|---|---|
| AWS Security Hub | Centralized security findings dashboard |
| Amazon GuardDuty | Threat detection and monitoring |
| AWS Access Analyzer | Identify unintended resource access |
| VPC Flow Logs | Network traffic monitoring |
7. DynamoDB + HIPAA
HIPAA Eligibility
Yes, Amazon DynamoDB is HIPAA-eligible. It has been on the HIPAA Eligible Services list for several years and is covered under the AWS BAA.
Required Configuration for PHI
| Configuration | Requirement | Default |
|---|---|---|
| Encryption at rest | Required | Enabled by default (AWS-owned key) |
| Encryption key type | AWS-owned, AWS-managed KMS, or customer-managed KMS | AWS-owned key |
| Encryption in transit | Required (HTTPS endpoints) | TLS by default |
| Point-in-time recovery | Recommended | Disabled (must enable) |
| IAM access control | Required | Must configure |
| VPC endpoints | Recommended | Must configure |
| Backup encryption | Required | Follows table encryption |
Recommended DynamoDB Configuration for Starlight
Encryption: Customer-managed KMS key (best audit trail)
Point-in-time recovery: Enabled
Backup: On-demand + continuous backups, encrypted
VPC endpoint: Gateway endpoint for DynamoDB (no internet transit)
IAM: Least-privilege policies per Lambda function
Streams: Encrypted, for audit/replication if needed
Client-Side Encryption Option
For maximum security, AWS provides the Amazon DynamoDB Encryption Client (available on GitHub) for client-side encryption before data reaches DynamoDB. This means AWS never sees the plaintext PHI.
8. Cognito + HIPAA
HIPAA Eligibility
Yes, Amazon Cognito is HIPAA-eligible. It achieved HIPAA eligibility in July 2017 and is covered under the AWS BAA. PHI can be used with Amazon Cognito.
Compliance Certifications
- HIPAA eligible
- PCI DSS compliant
- SOC 1, SOC 2, SOC 3
- ISO/IEC 27001, 27017, 27018
- ISO 9001
Recommended Configuration for Healthcare
| Feature | Recommendation |
|---|---|
| MFA | Required for all users accessing PHI |
| Password policy | Minimum 12 characters, complexity requirements |
| Token expiration | Short-lived access tokens (1 hour or less) |
| Advanced security | Enable adaptive authentication |
| Account recovery | Verified email/phone only |
| User attribute encryption | Custom attributes with sensitive data should use app-level encryption |
Important Considerations
- Cognito user pool attributes (name, email, phone) are stored by Cognito
- If storing PHI in custom attributes, consider application-level encryption
- Use Cognito groups for role-based access control (RBAC)
- Enable CloudTrail logging for Cognito API calls
- Configure sign-in/sign-out logging for audit purposes
9. Lambda + API Gateway + HIPAA
HIPAA Eligibility
Yes, both AWS Lambda and Amazon API Gateway are HIPAA-eligible and covered under the AWS BAA.
Serverless HIPAA Architecture
AWS has published specific guidance on powering HIPAA-compliant workloads using serverless technologies.
Lambda Configuration for PHI
| Configuration | Requirement |
|---|---|
| VPC attachment | Recommended — place Lambda in private subnets |
| Environment variables | Encrypt with KMS; never store PHI in env vars |
| Connections | Use HTTPS/TLS for all external connections |
| IAM role | Least-privilege, one role per function |
| Logging | CloudWatch Logs with KMS encryption |
| Timeout | Set appropriate timeouts |
| Concurrency | Set reserved concurrency limits |
| Layers | Ensure no PHI in Lambda layers |
API Gateway Configuration for PHI
| Configuration | Requirement |
|---|---|
| Protocol | HTTPS only (TLS 1.2+) |
| Authentication | Cognito authorizer or Lambda authorizer |
| Throttling | Configure rate limiting |
| Access logging | Enable with CloudWatch |
| WAF integration | Attach AWS WAF for request filtering |
| Request validation | Enable request body validation |
| Private API | Consider private API endpoints for internal services |
| Custom domain | Use ACM certificates |
Important Warning
PHI in URLs: Avoid placing PHI in URL paths or query parameters. Use request bodies instead. URLs may be logged in access logs, browser history, and intermediate proxies.
10. Cost Implications
Does HIPAA Compliance Add Significant Cost?
The infrastructure cost premium is modest (15-25%), but the operational costs are significant.
Infrastructure Cost Breakdown
| Cost Category | Estimated Additional Cost | Notes |
|---|---|---|
| KMS keys | ~$1-5/month | $1/CMK/month + API calls |
| CloudTrail | ~$2-10/month | First trail free; additional data events |
| CloudWatch Logs | ~$5-50/month | Depends on log volume; 6-year retention |
| AWS Config | ~$10-30/month | Per rule evaluation |
| GuardDuty | ~$10-50/month | Based on data analyzed |
| WAF | ~$6-20/month | $5/web ACL + $1/rule + requests |
| S3 log storage | ~$5-30/month | 6-year retention of audit logs |
| VPC endpoints | ~$7-15/month per endpoint | For private DynamoDB, S3 access |
| Secrets Manager | ~$2-5/month | $0.40/secret/month |
Estimated infrastructure premium: $50-200/month for a typical serverless application.
Operational Costs (Often Higher Than Infrastructure)
| Cost Category | Estimated Cost | Notes |
|---|---|---|
| HIPAA training | $500-2,000/year | Required for all staff |
| Security assessments | $5,000-30,000/year | Annual risk assessments |
| Penetration testing | $5,000-15,000/year | Recommended annually |
| Compliance consulting | $10,000-50,000 | Initial setup and policies |
| HITRUST certification | $40,000-200,000 | Optional but often requested by enterprise clients |
| Cyber insurance | $2,000-10,000/year | Recommended for healthcare |
| Incident response plan | $5,000-15,000 | One-time + annual updates |
Cost-Saving Strategies
- Use serverless: Lambda and DynamoDB reduce operational overhead vs. EC2/RDS
- Organization-wide BAA: One BAA covers all accounts (no per-account cost)
- AWS Config conformance packs: Pre-built HIPAA rules (no custom development)
- Landing Zone Accelerator: Free open-source solution for multi-account setup
- S3 lifecycle policies: Transition old audit logs to Glacier after 1 year
- Reserved capacity: Use DynamoDB reserved capacity for predictable workloads
No "HIPAA Tax" on Service Pricing
AWS does not charge more for HIPAA-eligible services. The same DynamoDB, Lambda, and S3 pricing applies whether or not you have a BAA. The additional costs come from the required supporting services (KMS, CloudTrail, Config, etc.) and operational compliance activities.
Summary: HIPAA Compliance Checklist for Starlight
Before Writing Any Code
- Sign the BAA via AWS Artifact
- Set up AWS Organizations with multi-account structure
- Deploy Landing Zone Accelerator for Healthcare (optional but recommended)
- Enable CloudTrail in all regions
- Enable AWS Config with HIPAA conformance pack
- Create KMS customer-managed keys for PHI encryption
Application Architecture
- Use only HIPAA-eligible services for PHI
- DynamoDB: Customer-managed KMS encryption, PITR enabled
- S3: SSE-KMS, bucket policies, versioning, Object Lock for logs
- Lambda: VPC-attached, least-privilege IAM, encrypted environment variables
- API Gateway: HTTPS only, Cognito authorizer, WAF attached
- Cognito: MFA required, strong password policy
Monitoring and Audit
- CloudTrail integrated with CloudWatch Logs
- CloudWatch alarms for security events
- VPC Flow Logs enabled
- GuardDuty enabled
- 6-year log retention configured
- Security Hub for centralized findings
Operational
- HIPAA policies and procedures documented
- Staff training completed and documented
- Incident response plan in place
- Business continuity and disaster recovery plan
- Annual risk assessment scheduled
- BAA signed with any third-party services handling PHI
Sources
- AWS HIPAA Eligible Services Reference
- AWS HIPAA Compliance Overview
- Architecting for HIPAA Security and Compliance on AWS (Whitepaper)
- AWS Artifact — Managing Agreements
- Landing Zone Accelerator for Healthcare (GitHub)
- Powering HIPAA-Compliant Workloads Using AWS Serverless Technologies
- HIPAA Compliance for Generative AI on AWS
- Using AWS KMS for Encryption of PHI
- Amazon Cognito Compliance Validation
- AWS Services in Scope by Compliance Program