HIPAA eligibility is necessary, but it is not the whole compliance story
AWS HealthLake and AWS HealthImaging both document HIPAA eligibility, and AWS states that covered entities and business associates can use the secure AWS environment to process, maintain, and store protected health information. That matters, but it does not turn an application into a compliant product by itself.
How to read HIPAA eligibility correctly
| Question | AWS position | Architect takeaway |
|---|---|---|
| Can PHI be processed in AWS? | Yes, using HIPAA-eligible services under the AWS BAA and shared-responsibility model | Choose eligible services intentionally and align contracts and controls |
| Does eligibility mean the app is compliant? | No, customer architecture and operations still matter | You still own workflow, access, logging, and governance design |
| Can any AWS service store PHI equally? | No, customers should use HIPAA-eligible services for PHI processing | Check the current eligible-services reference before production design |
Eligibility is not a waiver of engineering rigor
Treat HIPAA eligibility as the starting boundary condition. Then verify identity, encryption, logging, data flows, retention, and reviewer responsibilities in the actual implementation.
AWS HIPAA compliance overview
AWS compliance page explaining HIPAA applicability, the BAA model, covered entities, business associates, and HIPAA-eligible services.
Review the HIPAA overviewWhat is AWS HealthLake?
Official HealthLake documentation confirming HIPAA eligibility and the service boundary for FHIR workloads.
Review HealthLake security contextEncryption and identity controls still wrap the health-service layer
AWS purpose-built health services reduce domain-specific operational work, but they still rely on the broader AWS security model. IAM scopes who can start jobs or access data. TLS protects data in transit. KMS policies protect encrypted outputs. AWS HealthScribe additionally documents the ability to specify a customer managed key that adds a second layer of encryption, with optional encryption context for stronger control and monitoring.
Shared security envelope around AWS health services
Loading diagram...
AWS HealthScribe encryption at rest
Official guide describing default encryption, customer managed keys, optional encryption context, and monitoring of KMS key usage.
Review HealthScribe encryptionHealthImaging OIDC authorization requirements
Official HealthImaging guide for authorizing DICOMweb and frame-retrieval requests with OIDC bearer tokens.
Review HealthImaging authorizationGovernance is the ongoing evidence trail, not a one-time checklist
In healthcare workloads, governance quality is visible in the evidence trail. Operators need to know who started the job, which data moved, which KMS key was used, whether warnings occurred, and what review action followed. That is why CloudTrail, service job outputs, EventBridge events, and KMS usage records matter as first-class design outputs.
Operational governance signals to preserve
| Signal | Source | Governance value |
|---|---|---|
| Who initiated a workflow or job | CloudTrail and service API logs | Supports access review and forensic traceability |
| Which encrypted outputs were produced | KMS usage records plus service output locations | Supports key-governance and data-handling evidence |
| Which imaging imports produced warnings or non-primary outputs | HealthImaging manifest files and EventBridge events | Supports reconciliation instead of silent drift |
| Which note or AI steps were reviewed before publish | Workflow history and application review audit logs | Supports clinical governance and accountability |
Good governance architecture shortens incident response
When review decisions, job outputs, and encryption evidence are already connected, teams can answer audit and incident questions without reconstructing history from screenshots.
AWS HIPAA compliance overview
AWS guidance on the shared-responsibility model and why HIPAA design still depends on customer controls and evidence.
Revisit HIPAA responsibilitiesKnowledge Check
Test your understanding with this quiz. You need to answer all questions correctly to mark this section as complete.