Does AWS sign a HIPAA BAA?

Yes — Amazon Web Services offers a HIPAA Business Associate Addendum (BAA) to all commercial AWS accounts at no additional charge. The BAA is accepted self-service through AWS Artifact, AWS's compliance document portal. Once accepted, you can run HIPAA workloads on the HIPAA-eligible services listed in the BAA. AWS GovCloud accounts also qualify.

Which AWS services are HIPAA eligible?

AWS maintains a published list of HIPAA-eligible services that is updated regularly. Core eligible services include: Amazon EC2, S3, RDS, DynamoDB, Lambda, ECS, EKS, SageMaker, CloudWatch, CloudTrail, KMS, IAM, VPC, SNS, SQS, API Gateway, Elastic Load Balancing, and many more. Services not on the HIPAA-eligible list cannot be used to store or process PHI, even if the BAA is in place.

Is the AWS BAA automatic or do I need to request it?

It is not automatic. You must actively accept the AWS Business Associate Addendum through AWS Artifact, which is accessible from the AWS Management Console under Compliance. The BAA applies to your entire AWS account once accepted — you don't need separate BAAs per service or per region. However, you must only run PHI workloads on HIPAA-eligible services, and you are responsible for configuring those services securely.

Vendor BAA Guide

Does AWS Sign a HIPAA Business Associate Agreement?

By BAA Generator Research Team · Published Apr 19, 2026 · Last reviewed Apr 28, 2026 · 3 min read

Need a BAA right now?

Generate my BAA → Download Free BAA Template → See pricing →

Key Takeaways

✓ Yes — AWS offers a HIPAA BAA (Business Associate Addendum) to all commercial accounts
✓ Self-service acceptance through AWS Artifact — no sales contact required
✓ BAA covers only HIPAA-eligible services — AWS maintains a published eligible services list
⚠ Using non-eligible services with PHI is a violation even after the BAA is accepted
✓ You are still responsible for securing your AWS environment — the BAA covers AWS's obligations, not your configuration

Direct answer: Yes — AWS offers a HIPAA Business Associate Addendum (BAA) at no extra charge to all commercial AWS accounts. It is accepted self-service via AWS Artifact in the AWS Console. The BAA applies account-wide but only covers HIPAA-eligible services — a published list that excludes some AWS services.

AWS is the dominant cloud infrastructure provider for healthcare workloads. Hospitals, health systems, digital health startups, and healthcare SaaS companies all run PHI on AWS. Here's the complete picture on AWS's HIPAA BAA — what it covers, how to get it, and the critical restrictions you need to understand.

How to Execute the AWS BAA via AWS Artifact

The AWS BAA is self-service and costs nothing beyond your normal AWS usage:

Log in to the AWS Management Console
Navigate to AWS Artifact (search "Artifact" in the services search bar)
Go to Agreements → AWS Business Associate Addendum
Review the BAA and click Accept
The BAA is effective immediately and applies to your entire account

The BAA applies at the account level. If you have multiple AWS accounts (e.g., separate production and development accounts), you must accept the BAA in each account where PHI will be processed.

AWS HIPAA-Eligible Services List (2026)

This is the most critical thing to understand about AWS's HIPAA BAA. The BAA only covers services on AWS's official HIPAA-eligible services list. Using a non-eligible service with PHI — even after the BAA is accepted — is a compliance violation. AWS publishes an updated list at aws.amazon.com/compliance/hipaa-eligible-services-reference; as of 2026, 150+ services are HIPAA-eligible.

Commonly used HIPAA-eligible AWS services, organized by category:

Compute: EC2, Lambda, ECS, EKS, Fargate, Elastic Beanstalk, Batch, App Runner, Lightsail (select instances)
Storage: S3, EBS, EFS, FSx, Storage Gateway, Glacier, Backup
Database: RDS (all engines), Aurora, Aurora Serverless, DynamoDB, DocumentDB, Neptune, ElastiCache (Redis & Memcached), Redshift, Timestream, Keyspaces, MemoryDB
Networking & CDN: VPC, Route 53, CloudFront, Elastic Load Balancing (ALB/NLB), API Gateway, Direct Connect, Transit Gateway, Global Accelerator, AppSync
Security & Identity: IAM, KMS, Secrets Manager, CloudHSM, CloudTrail, GuardDuty, Security Hub, WAF, Shield, Inspector, Macie, Cognito, Network Firewall, Detective
AI/ML: SageMaker (all components), Bedrock, Comprehend Medical, HealthLake, Textract, Rekognition (with caveats), Translate, Transcribe Medical, Lex, Polly
Containers & serverless orchestration: ECR, App Mesh, Step Functions, EventBridge
Messaging & integration: SQS, SNS, SES, MQ, AppFlow, Connect (contact center)
Monitoring & ops: CloudWatch, X-Ray, Config, Systems Manager, OpsWorks
Analytics: Athena, EMR, Glue, Kinesis (Data Streams, Firehose, Analytics, Video Streams), MSK (Managed Kafka), QuickSight (Enterprise edition for PHI)

Notable AWS services NOT HIPAA-eligible as of 2026: WorkMail, WorkDocs (general use), Personalize (some configs), several AI services in preview, and any service marked "Preview" or in early-access status. Always verify against AWS's published list — AWS rarely removes services from eligibility, but new services aren't covered until added.

The published HIPAA-eligible list is the authoritative source. Bookmark it and check before deploying any new service with PHI.

What the AWS BAA Covers

The AWS Business Associate Addendum establishes AWS's obligations as a business associate when handling PHI stored in your AWS environment. It covers:

AWS's commitment to implement appropriate safeguards for PHI in its infrastructure
Breach notification obligations to your organization
AWS's subprocessor arrangements
Return or deletion of PHI upon termination of services

Critically, the AWS BAA covers AWS's responsibilities — not yours. You remain responsible for how you configure and secure your AWS environment. Misconfigured S3 buckets, unencrypted EBS volumes, improper IAM policies, and insecure application code are all your responsibility regardless of the BAA.

Shared Responsibility Under the AWS BAA

AWS operates under a shared responsibility model for security. For HIPAA workloads:

AWS is responsible for: physical data center security, hypervisor security, network infrastructure, hardware
You are responsible for: encryption configuration, access controls, application security, data classification, audit logging configuration, incident response

The BAA doesn't make your AWS workload HIPAA compliant — it establishes the contractual framework. Compliance requires proper technical and administrative controls on your side.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Related: Cloud platforms

Azure Google Cloud Google Workspace Microsoft 365