Does AWS sign a HIPAA BAA?

Yes — Amazon Web Services offers a HIPAA Business Associate Addendum (BAA) to all commercial AWS accounts at no additional charge. The BAA is accepted self-service through AWS Artifact, AWS's compliance document portal. Once accepted, you can run HIPAA workloads on the HIPAA-eligible services listed in the BAA. AWS GovCloud accounts also qualify.

Which AWS services are HIPAA eligible?

AWS maintains a published list of HIPAA-eligible services that is updated regularly. Core eligible services include: Amazon EC2, S3, RDS, DynamoDB, Lambda, ECS, EKS, SageMaker, CloudWatch, CloudTrail, KMS, IAM, VPC, SNS, SQS, API Gateway, Elastic Load Balancing, and many more. Services not on the HIPAA-eligible list cannot be used to store or process PHI, even if the BAA is in place.

Is the AWS BAA automatic or do I need to request it?

It is not automatic. You must actively accept the AWS Business Associate Addendum through AWS Artifact, which is accessible from the AWS Management Console under Compliance. The BAA applies to your entire AWS account once accepted — you don't need separate BAAs per service or per region. However, you must only run PHI workloads on HIPAA-eligible services, and you are responsible for configuring those services securely.

Vendor BAA Guide

Does AWS Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 4 min read

Key Takeaways

✓ Yes — AWS offers a HIPAA BAA (Business Associate Addendum) to all commercial accounts
✓ Self-service acceptance through AWS Artifact — no sales contact required
✓ BAA covers only HIPAA-eligible services — AWS maintains a published eligible services list
⚠ Using non-eligible services with PHI is a violation even after the BAA is accepted
✓ You are still responsible for securing your AWS environment — the BAA covers AWS's obligations, not your configuration

Direct answer: Yes — AWS offers a HIPAA Business Associate Addendum (BAA) at no extra charge to all commercial AWS accounts. It is accepted self-service via AWS Artifact in the AWS Console. The BAA applies account-wide but only covers HIPAA-eligible services — a published list that excludes some AWS services.

AWS is the dominant cloud infrastructure provider for healthcare workloads. Hospitals, health systems, digital health startups, and healthcare SaaS companies all run PHI on AWS. Here's the complete picture on AWS's HIPAA BAA — what it covers, how to get it, and the critical restrictions you need to understand.

How to Accept the AWS HIPAA BAA

The AWS BAA is self-service and costs nothing beyond your normal AWS usage:

Log in to the AWS Management Console
Navigate to AWS Artifact (search "Artifact" in the services search bar)
Go to Agreements → AWS Business Associate Addendum
Review the BAA and click Accept
The BAA is effective immediately and applies to your entire account

The BAA applies at the account level. If you have multiple AWS accounts (e.g., separate production and development accounts), you must accept the BAA in each account where PHI will be processed.

HIPAA-Eligible vs. Non-Eligible AWS Services

This is the most critical thing to understand about AWS's HIPAA BAA. The BAA only covers services on AWS's official HIPAA-eligible services list. Using a non-eligible service with PHI — even after the BAA is accepted — is a compliance violation.

Commonly used HIPAA-eligible AWS services include:

Compute: EC2, Lambda, ECS, EKS, Fargate, Elastic Beanstalk
Storage: S3, EBS, EFS, Glacier
Database: RDS, Aurora, DynamoDB, ElastiCache, Redshift
Networking: VPC, Route 53, CloudFront, Elastic Load Balancing, API Gateway
Security: IAM, KMS, CloudTrail, GuardDuty, Security Hub, WAF
AI/ML: SageMaker, Comprehend Medical, HealthLake
Messaging: SQS, SNS, SES (with caveats)

Always verify the current eligibility of any service at AWS's official HIPAA Eligible Services reference page before using it with PHI, as the list is updated regularly as services are added.

What the AWS BAA Covers

The AWS Business Associate Addendum establishes AWS's obligations as a business associate when handling PHI stored in your AWS environment. It covers:

AWS's commitment to implement appropriate safeguards for PHI in its infrastructure
Breach notification obligations to your organization
AWS's subprocessor arrangements
Return or deletion of PHI upon termination of services

Critically, the AWS BAA covers AWS's responsibilities — not yours. You remain responsible for how you configure and secure your AWS environment. Misconfigured S3 buckets, unencrypted EBS volumes, improper IAM policies, and insecure application code are all your responsibility regardless of the BAA.

Shared Responsibility Under the AWS BAA

AWS operates under a shared responsibility model for security. For HIPAA workloads:

AWS is responsible for: physical data center security, hypervisor security, network infrastructure, hardware
You are responsible for: encryption configuration, access controls, application security, data classification, audit logging configuration, incident response

The BAA doesn't make your AWS workload HIPAA compliant — it establishes the contractual framework. Compliance requires proper technical and administrative controls on your side.

Need a BAA for your other vendors?

Beyond AWS, your healthcare app needs BAAs with your EHR integrations, billing services, analytics tools, and more. Generate them in minutes.

Generate BAA for Free →