reference deployment

HIPAA Reference Architecture on AWS

Deploy a cloud architecture that helps support your HIPAA-compliance program

This Quick Start is for people in the healthcare industry who want to to run workloads in the Amazon Web Services (AWS) Cloud within the scope of the U.S. Health Insurance Portability and Accountability Act (HIPAA). It includes AWS CloudFormation templates that automatically deploy the environment and configure AWS resources.

The security controls matrix shows how Quick Start architecture decisions, components, and configurations map to HIPAA regulatory requirements.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architectures to help managed service providers, cloud-provisioning teams, developers, integrators, and information-security teams follow strict security, compliance, and risk-management controls. For additional Quick Starts in this category, see the Quick Start catalog.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

This Quick Start was developed by AWS.

  •  What you'll build
  • This Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.
    • Three virtual private clouds (VPCs): management, production, and development. The VPCs are configured with subnets, according to AWS best practices, to provide you with your own virtual network on AWS.
    • In the management VPC:
      • An internet gateway, which serves as a highly available centralized point of egress for internet traffic.
      • Public subnets that include managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
      • Private subnets for deploying your security and infrastructure controls.
      • Flow logs for auditing.
    • In the production VPC:
      • Private subnets for deploying your production workloads.
      • Flow logs for auditing.
    • In the development VPC:
      • Private subnets for deploying your development workloads.
      • Flow logs for auditing.
    • AWS Transit Gateway for VPC-to-VPC communication and customer connectivity.
    • For logging and audit controls:
      • Amazon CloudWatch for metric monitoring and threshold alarms. This service delivers flow logs to an Amazon Simple Storage Service (Amazon S3) bucket.
      • AWS Config with the conformance pack for HIPAA, maps HIPAA controls to AWS configuration items. This service delivers flow logs to an S3 bucket.
      • AWS CloudTrail for AWS access logging. This service delivers flow logs to an S3 bucket.
    • For customer connectivity:
      • AWS Site-to-Site VPN or AWS Direct Connect to connect with AWS Transit Gateway.
    • For access control and alerting:
      • Amazon Simple Notification Service (Amazon SNS) for sending email alerts from alarms.
      • AWS Identity and Access Management (IAM) for access control and authorization.
  •  How to deploy
  • Before you deploy the HIPAA Reference Architecture Quick Start with protected health information (PHI), you must accept the AWS Business Associate Addendum (BAA) and configure your AWS account as required by the AWS BAA. To deploy the Quick Start, follow the instructions in the deployment guide. The deployment process takes about 15 minutes and includes these steps:

    1. Sign in to your AWS account. If you don’t have an AWS account, sign up at
    2. Launch the Quick StartBefore you create this stack, choose the AWS Region from the top toolbar.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this Partner Solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. This Quick Start does not require additional licenses for deployment.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?