BBAA Atlas

Is Amazon Web Services (AWS) HIPAA compliant?

Cloud infrastructure · vendor site ↗

Signs a BAAPHI with conditionsSOC 2 Type II
Will Amazon Web Services (AWS) sign a HIPAA BAA?
Yes — Amazon Web Services (AWS) will sign a HIPAA Business Associate Agreement (BAA).
AWS provides a standard Business Associate Addendum self-service via AWS Artifact (per-account or org-wide), but PHI may only be processed in HIPAA-eligible services listed in the AWS HIPAA Eligible Services Reference.
PHI eligibility
PHI is permitted only in AWS HIPAA-eligible services under a signed BAA, with encryption of PHI at rest and in transit required.
SOC 2
SOC 2 Type II
Trust center
aws.amazon.com
Sub-processors
Notes
Eligibility varies by service/feature/Region; the BAA is self-service via AWS Artifact.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with Amazon Web Services (AWS) before storing PHI.

Get notified when this changes

We track Amazon Web Services (AWS)'s BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with Amazon Web Services (AWS)

Yes — Amazon Web Services (AWS) will sign a HIPAA Business Associate Agreement (BAA).

Request routeSelf-serve — enable it in your account
  1. 1
    Confirm your account is covered
    AWS provides a standard Business Associate Addendum self-service via AWS Artifact (per-account or org-wide), but PHI may only be processed in HIPAA-eligible services listed in the AWS HIPAA Eligible Services Reference.
  2. 2
    Request the Business Associate Agreement
    Amazon Web Services (AWS) lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI is permitted only in AWS HIPAA-eligible services under a signed BAA, with encryption of PHI at rest and in transit required. Match your configuration to this scope before putting protected health information into Amazon Web Services (AWS).
Before you sign — watch for
  • The BAA may be US-only or region-specific — non-US teams should ask for the equivalent agreement.
  • HIPAA is enabled per account / workspace — each one needs its own BAA, not a single org-wide signature.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Amazon Web Services (AWS) before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does Amazon Web Services (AWS) sign a HIPAA Business Associate Agreement (BAA)?
Yes — Amazon Web Services (AWS) will sign a HIPAA Business Associate Agreement (BAA). AWS provides a standard Business Associate Addendum self-service via AWS Artifact (per-account or org-wide), but PHI may only be processed in HIPAA-eligible services listed in the AWS HIPAA Eligible Services Reference.
Is Amazon Web Services (AWS) HIPAA compliant?
Amazon Web Services (AWS) can be used in a HIPAA-compliant way: it signs a Business Associate Agreement (BAA), which HIPAA requires before you process PHI with a vendor. PHI is permitted only in AWS HIPAA-eligible services under a signed BAA, with encryption of PHI at rest and in transit required.
Can you store PHI (protected health information) in Amazon Web Services (AWS)?
PHI is permitted only in AWS HIPAA-eligible services under a signed BAA, with encryption of PHI at rest and in transit required.
Is Amazon Web Services (AWS) SOC 2 certified?
Amazon Web Services (AWS) reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Amazon Web Services (AWS)?
Amazon Web Services (AWS) lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with Amazon Web Services (AWS) before storing PHI.
What plan do I need to sign a BAA with Amazon Web Services (AWS)?
AWS provides a standard Business Associate Addendum self-service via AWS Artifact (per-account or org-wide), but PHI may only be processed in HIPAA-eligible services listed in the AWS HIPAA Eligible Services Reference.

Sources

HIPAA Compliance — Amazon Web Services (AWS)
https://aws.amazon.com/compliance/hipaa-compliance/
Supports: AWS presents a standard BAA via AWS Artifact; PHI restricted to HIPAA-eligible services; shared responsibility modeldated: undated
HIPAA Eligible Services Reference — AWS
https://aws.amazon.com/compliance/hipaa-eligible-services-reference/
Supports: Customers agree not to use HIPAA-eligible services with PHI without first entering an AWS business associate agreementdated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Amazon Web Services (AWS) before processing protected health information.

Check another vendor

DigitalOceanBAA on select plansGoogle Cloud Platform (GCP)Signs a BAAMicrosoft AzureSigns a BAAActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plans

See all HIPAA compliant cloud infrastructure & hosting
Browse all 105 vendors by category →