Industries We Serve
AWS HIPAA Consulting for Healthcare and HealthTech
HIPAA-compliant AWS architecture for healthtech, EHR platforms, and digital health teams: PHI encryption, BAA setup, CloudTrail audit logs, and a proven path to SOC 2.
HIPAA on AWS
What HIPAA compliance on AWS actually requires.
HIPAA (Health Insurance Portability and Accountability Act) governs how covered entities and their business associates handle Protected Health Information (PHI), meaning any individually identifiable health data including names, dates, contact information, and medical records. On AWS, HIPAA compliance requires: a signed Business Associate Agreement (BAA) with AWS (available via AWS Artifact), encryption of PHI at rest (AWS KMS) and in transit (TLS 1.2+), strict access controls (IAM least privilege), immutable audit logs (CloudTrail), and automated threat detection (GuardDuty).
AWS holds a HIPAA attestation and will sign a BAA. That BAA covers the infrastructure layer but not what you build on top of it. The shared responsibility for what runs on AWS is where Forged Concepts works. The compliance controls are implemented and documented as infrastructure as code, not assembled in the week before an audit. Senior engineers only, every control auditable.
BAA via AWS Artifact
Self-service signing, no legal negotiation required.
PHI encryption
KMS at rest, TLS 1.2+ in transit, across every HIPAA-eligible service.
Audit-ready infrastructure
CloudTrail, Config, and GuardDuty configured and documented before auditors ask for evidence.
AWS services
AWS services mapped to HIPAA requirements.
| HIPAA Requirement | AWS Service | What it does |
|---|---|---|
| Audit controls (§164.312(b)) | CloudTrail | Immutable API audit log for all account activity |
| Encryption at rest (§164.312(a)(2)(iv)) | AWS KMS | Key management for PHI encryption in RDS, S3, EBS |
| PHI detection and classification | Amazon Macie | Automated PHI discovery in S3 buckets |
| Threat detection | Amazon GuardDuty | Continuous behavioral threat detection |
| Secrets and credential protection | AWS Secrets Manager | Prevents hardcoded credentials in code; automatic rotation |
| Network isolation | VPC with private subnets | PHI systems off the public internet |
| Application protection | AWS WAF | OWASP protection for patient-facing applications |
| BAA execution | AWS Artifact | Self-service Business Associate Agreement signing |
| ePHI in healthcare data lakes | AWS HealthLake | FHIR-native, HIPAA-eligible data lake service |
Every service in the table maps to a named HIPAA control section. Forged Concepts configures each one in Terraform or CDK, version-controlled in your repository, with the reasoning documented for auditors.
Compliance controls
HIPAA-compliant CI/CD pipelines and BAA setup.
Business Associate Agreement
AWS signs a BAA via AWS Artifact: self-service, no legal negotiation, available directly from the AWS console. The BAA covers AWS's underlying infrastructure and the HIPAA-eligible services listed in the agreement.
The BAA does not cover what you build on top of AWS. Your application configuration, access controls, and data handling practices remain your responsibility. Forged Concepts configures the customer side of HIPAA compliance: encryption, IAM, audit logging, and the architecture that makes the BAA meaningful.
HIPAA-Compliant CI/CD Pipeline
The common failure mode: teams build a functional CI/CD pipeline without thinking about compliance, then face a remediation sprint before an audit. Build logs contain database connection strings. Developers have production IAM permissions. There is no documented approval process for production changes.
Forged Concepts builds pipelines with these requirements from day one, not as a remediation project.
No PHI in build logs
Pipeline environment variables never contain patient data; secrets managed via Secrets Manager or Parameter Store, not hardcoded in git.
Documented change control
Every production deployment carries a timestamp, author, and change description satisfies HIPAA Administrative Safeguard change management requirements.
Separation of duties
Dev and prod environments use distinct IAM roles; developers do not hold production access as a standing permission.
Immutable audit trail
CloudTrail captures every deployment event; CloudWatch stores structured build logs with retention policies that satisfy audit windows.
Self-hosted runners
GitHub Actions runners inside the VPC build environments live next to PHI systems, never on GitHub-hosted infrastructure.
Track record
Healthtech startup: HIPAA and SOC 2, passed.
~10-person healthtech startup, Series A prep
A provider-patient collaboration platform engaged Forged Concepts to take an MVP that was not designed to scale and turn it into a HIPAA and SOC 2 ready production environment. The architecture: Lambda and ECS for serverless application workloads, S3 for storage, EC2, VPC, and load balancing for the core network, GuardDuty and Inspector for continuous threat and vulnerability detection, S3 virus scanning on uploads, CloudTrail and AWS Config for audit evidence, IAM policies enforcing least privilege, secure developer instances, and an automated Git-driven CI/CD pipeline with multi-environment rollout.
Compliance was built into the pipeline as continuous evidence collection, not a one-time checkbox before each audit. Disaster recovery and backup policies were planned, documented, and tested.
-
HIPAA audit
Passed
-
SOC 2 audit
Passed
-
Deployments
Manual delays to minutes
-
Engagement
3-year ongoing partnership
SOC 2 for HealthTech
Enterprise healthcare buyers require SOC 2 Type II from their software vendors, not just HIPAA compliance. SOC 2 evaluates whether your security controls operated effectively over a 6–12 month observation period.
The HIPAA and SOC 2 controls overlap significantly. Implementing them together costs less than implementing them sequentially.
Access and API call logging, the primary evidence for access control and monitoring criteria
Configuration compliance tracking over time, showing your environment matched stated policies throughout the observation period
Continuous threat detection findings demonstrates you monitor for anomalous activity
Credential rotation history demonstrates no static long-lived credentials
Availability metrics and alarm history, providing evidence for the Availability trust service criteria
Beyond HIPAA
HITRUST certification and what it means for enterprise sales.
HITRUST CSF (Common Security Framework) is a voluntary certification framework that maps controls to HIPAA, NIST, ISO 27001, and other standards, then provides formal certification through independent third-party assessment. Enterprise healthcare buyers, including large health systems, payers, and hospital networks, increasingly require HITRUST from technology vendors.
HITRUST sits above HIPAA compliance on the credibility spectrum. Where HIPAA has no formal certification (you comply or you don't, enforcement is complaint-driven), HITRUST provides a scored, audited, time-bounded certificate that enterprise procurement teams accept in lieu of their own security assessments.
AWS environments designed for HIPAA compliance with GuardDuty, CloudTrail, KMS, Secrets Manager, WAF, and VPC isolation provide the technical foundation for HITRUST r2 certification. Forged Concepts designs environments that satisfy HIPAA requirements and can serve as the technical foundation for HITRUST, reducing the gap between compliant and certified to policy documentation and a formal assessment.
HIPAA
US federal law. No official certification body. Enforcement is complaint-driven through HHS. Required for covered entities and business associates.
SOC 2 Type II
6–12 month audit of whether your controls operated effectively. Required by most enterprise SaaS buyers alongside a BAA.
HITRUST CSF
Voluntary certification framework. Scored, audited, time-bounded certificate. Accepted by enterprise health systems and payers in lieu of their own vendor assessments.
How we engage
Three ways healthcare teams bring us in.
Pre-audit HIPAA buildout
Full HIPAA AWS environment designed and shipped in Terraform or CDK before the first audit.
Common at healthtech startups signing their first enterprise health system customer, or when a new CISO inherits a non-compliant environment.
Audit remediation and SOC 2 renewal
Targeted fixes to specific control gaps, plus the evidence pipeline auditors expect on the next cycle.
SOC 2 Type II renewal, a new enterprise customer requiring HITRUST, or an open audit finding on an existing control.
BAA-covered environment for EHR and telehealth SaaS
AWS architecture under a signed BAA with ongoing compliance evidence collection wired into the pipeline.
Investor due diligence on security posture, a customer security questionnaire that exposes architectural gaps, or an audit inside 90 days.
If your audit is in 90 days, your enterprise customer is requiring a HIPAA BAA, or you are handling PHI for the first time, book a strategy call. We scope these engagements honestly and tell you what's realistic in your timeline.
FAQ
Common questions about HIPAA and AWS.
Does AWS sign a Business Associate Agreement (BAA)?
Yes. AWS signs a BAA via AWS Artifact. You can download and accept it directly from the AWS console without legal negotiation. The AWS BAA covers the infrastructure layer (compute, storage, networking) for HIPAA-eligible services. It does not cover your application code, configuration, or data handling; those are your responsibility under the shared responsibility model. Forged Concepts handles the architecture decisions that keep PHI in scope of the BAA.
What is Protected Health Information (PHI)?
PHI is any individually identifiable health data that a covered entity or business associate creates, receives, maintains, or transmits. It includes: patient names, dates (birth, admission, discharge), contact information (address, phone, email), Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, device identifiers, and any other unique identifier linked to health information. On AWS, PHI must be encrypted at rest (KMS) and in transit (TLS), access-controlled (IAM least privilege), and audit-logged (CloudTrail).
What are HIPAA-eligible AWS services?
AWS maintains a list of HIPAA-eligible services: services that AWS includes in its BAA and for which HIPAA controls are implemented at the infrastructure level. Key HIPAA-eligible services include: EC2, RDS, S3, CloudTrail, GuardDuty, KMS, Secrets Manager, Lambda, ECS, EKS, CloudWatch, WAF, and HealthLake. Non-eligible services should not store or process PHI.
What is a HIPAA-compliant CI/CD pipeline?
A HIPAA-compliant CI/CD pipeline ensures that: PHI never appears in build logs or CI/CD environment variables (use Secrets Manager instead), deployment credentials are scoped to the minimum required permissions, every deployment is logged with a change record (who deployed what, when), dev and prod are separated with distinct IAM roles, and build environments are inside the VPC where PHI systems live (self-hosted runners, not GitHub-hosted).
What is the difference between HIPAA and HITRUST?
HIPAA is a US federal law. You must comply with it, but there is no official HIPAA certification body. HITRUST CSF (Common Security Framework) is a voluntary certification framework that maps controls to HIPAA (plus PCI DSS, NIST, and other standards) and provides formal certification through independent assessment. Enterprise healthcare buyers and health insurers increasingly require HITRUST certification from vendors. Forged Concepts designs AWS environments that satisfy HIPAA requirements and can serve as the technical foundation for HITRUST certification.
What is the HIPAA shared responsibility model on AWS?
AWS is responsible for securing the underlying infrastructure (data centers, hardware, hypervisor). You are responsible for securing what you build on AWS: application configuration, IAM policies, encryption implementation, access controls, and data handling. AWS holding a HIPAA attestation does not mean your application is HIPAA compliant. That depends on how you configure and use AWS services. Forged Concepts handles the configuration layer that determines whether your AWS environment meets HIPAA requirements.
Do you have experience with HIPAA and SOC 2 audits?
Yes. Forged Concepts has guided healthcare clients through HIPAA and SOC 2 audits on AWS. Typical engagements include Lambda and ECS for serverless workloads, VPC isolation, CloudTrail and AWS Config for audit evidence, GuardDuty and Inspector for threat and vulnerability detection, S3 virus scanning, IAM least-privilege policies, an automated Git-driven CI/CD pipeline with multi-environment rollout, and a tested disaster recovery plan. Continuous compliance evidence is collected through the pipeline rather than reconstructed before each audit.
How do you handle EHR modernization on AWS?
EHR (Electronic Health Record) modernization on AWS typically involves replatforming legacy applications from on-premise servers to ECS or EKS, migrating self-managed databases to RDS or Aurora (with encryption at rest via KMS and Multi-AZ for HIPAA availability requirements), and setting up HealthLake for FHIR-compliant data exchange. Zero-downtime cutover plans maintain BAA coverage through the migration.
Ready when you are
Need senior AWS expertise without building a full internal team?
Forged Concepts helps growing companies improve AWS performance, control cloud costs, modernize infrastructure, and build with confidence. If your team needs stronger cloud architecture, better operations, or a clearer path forward on AWS, let's talk.