Compliance in the cloud
Elevate your operations with AWS, designed to meet rigorous compliance standards including HIPAA, HITRUST, GxP, and more.
Unlocking Innovation with Secure, Compliant Cloud Services
HIPAA Compliance
- HIPAA eligibility maintained by AWS across applicable services
- Streamlined process for executing Business Associate Agreements (BAAs)
- Built-in technical safeguards to protect Protected Health Information (PHI)
- Comprehensive audit trails and fine-grained access controls for enhanced oversight

GxP Compliance
- Reduced time to provision, configure, and test GxP compliance-aligned infrastructure
- Seamless inheritance of global security and compliance controls
- Continuous monitoring and alerting

Comprehensive Security Controls
- End-to-end encryption for data in transit and at rest
- Granular Identity and Access Management (IAM)
- Network isolation and segmentation
- 24/7 infrastructure monitoring and threat detection

Global Compliance Framework
- HITRUST CSF Certified
- SOC 1, 2, and 3 reports
- ISO 27001, 27017, and 27018
- GDPR and regional data protection standards

Building Secure Solutions Together
Compliance is a Shared Responsibility. We believe in transparent security partnerships. While AWS manages the security OF the cloud, you maintain complete control over your security IN the cloud.

What AWS Provides

Shared Responsibility

Your Data, Your Control
Certifications
Our independent third-party certifications demonstrate our commitment to "security of the cloud." Customers inherit these compliance certifications and can use them to demonstrate part of their compliance to auditor and regulators. Our compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Key certifications and attestations include:
- ISO 9001
- ISO 27001, 27017, 27018
- SOC 1, 2, 3
- PCI DSS Level 1
- FedRAMP
- Cyber Essentials Plus
- DoD SRG
Regulations
For industry regulations like HIPAA, HITECH, GxP, and GDPR, we offer robust security features and legal agreements, including our Business Associate Addendum (BAA) and Data Processing Agreement (DPA). Healthcare Laws include:
- GDPR
- HIPAA
- HITECH
- PDPA-2012 (Singapore)
- PIPEDA (Canada)
- Privacy Act (Australia)
- PDPA -2010 (Malaysia)
Industry Frameworks
Our alignment with industry frameworks further supports your compliance needs. Key Alignment & Frameworks include:
- CSA (Cloud Security Alliance)
- EU-US Privacy Shield
- NIST
- BioPhorum IT Controls
GxP Compliance on AWS
With access to purpose-built solutions, technical resources, and a team of GxP experts, AWS makes it easier for life sciences organizations to establish a GxP-alignment environment that reduces costs, improves security, and enhances agility.
Automate GxP compliance
Automate GxP compliance
AWS provides the tools and guidance to automate GxP compliance so you can move fast while staying compliant.
Learn more

Introduce automatic traceability
Use AWS to automatically log activities in your environment to support audit requests.

Develop a consistent and controllable infrastructure
Create templates to use your infrastructure throughout your organization, and control over who can affect elements of your infrastructure software and when.

Global Healthcare Compliance & Framework Alignments
United States
Open allAWS & FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that delivers a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP is mandatory for all US federal agencies and all cloud services, including the U.S. Department of Health and Human Services.
Two separate FedRAMP Agency authorizations have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.
Learn more »AWS & HITRUST Compliance
The HITRUST CSF (Cloud Security Framework) serves to unify security controls based on aspects of US federal law (such as HIPAA and HITECH), state law (such as Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth), and recognized non-governmental compliance standards (such as PCI DSS) into a single framework that is tailored for healthcare needs.
Certain AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF Assessor as meeting the HITRUST CSF v9.3 Certification Criteria.
Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services.
AWS, HIPAA, and HITECH Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that is designed to make it easier for US workers to retain health insurance coverage when they change or lose their jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.
Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the "Administrative Simplification" rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.
Learn more »Key Regulator: FDA
US Food and Drug Administration (FDA) established 21CFRPart 11 - regulations on electronic records and electronic signatures. 21CFRPart11 applies to life science industries that fall under Federal Food, Drug, and Cosmetic Act, Public Health Service Act, or any FDA regulation other than Part 11. Collectively those are identified as “Predicate Rules”. In essence, Part 11 applies when the record in question is predicated.
Read more:
Data Integrity & United States: FDA
The regulators around the world continue to look at the data integrity issues/concerns at life science industries. FDA published guidance on data integrity to provide clarity to life science organizations so that the issues/concerns can be proactively addressed.
Canada
Open allPersonal Information Protection and Electronic Documents Act (PIPEDA)
Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces.
The Health Information Act (HIA) is the privacy law in Alberta that applies to the collection, use, disclosure and protection of health information that is in the custody or under the control of a custodian.
The AWS Canada (Central) Region is currently available for multiple services, such as: Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS).
Learn more »Personal Health Information Protection Act (Ontario)
The Personal Health Information Protection Act (PHIPA) is privacy legislation in Ontario that applies to the collection, use, and disclosure of personal health information (PHI) in the course of providing or facilitating healthcare services.
United Kingdom
Open allHealth and Social Care Cloud Security – Good Practice Guide
Key Regulator: MHRA
MHRA continues to give greater focus on data integrity. The increasing use of electronic data capture, automation of systems, and use of remote technologies have increased the complexity of supply chains and ways of working – which includes use of third party suppliers. MHRA published the Data Integrity guidance specifically to provide greater clarity and setting expectations to the Life Science Industries to ensure data integrity compliance.
France
Open allHébergeur de Données de Santé (HDS)
Hébergeur de Données de Santé (HDS) - Introduced by the French governmental agency for health, “Agence du Numérique en Santé” (ANS), the HDS (Hébergeur de Données de Santé) certification aims to strengthen the security and protection of personal health data.
To be HDS certified, an IT provider must be ISO 27001 certified. This means that the services covered by our ISO 27001 certification are included in the scope of HDS. The AWS services that are in scope for the ISO/IEC 27001:2013 certification can be found on the ISO Certified webpage.
Data Integrity & EMA
Data Integrity continues to be an important topic worldwide. EMA- European Medicines Agency have published a new Manufacturing guidance (GMP) to ensure data integrity that covers the data related to the data generated in the process of testing, manufacturing, packaging, distribution and monitoring of medicines.
Read more:
Germany
Open allDiGAV compliance
DiGAV was introduced in April 2020 to support the digitization of the German health system. DiGAV enables certain healthcare applications to be recognized as refundable under the German statutory health insurance system. However, for organizations to comply with and enable eligibility for reimbursement through DiGAV, they must demonstrate that their applications meet DiGAV data protection requirements, including that personal data is processed exclusively within the European Economic Area (EEA) or a country with an adequacy decision by the European Commission based on Article 45 of the EU General Data Protection Regulation (GDPR).
AWS provides a number of industry-leading tools to support customers address local regulatory and legislative requirements, including the German Digital Supply Act (DVG) and associated Digital Health Applications Ordinance (DiGAV), as they move healthcare workloads to the cloud.
Data Integrity & EMA
Data Integrity continues to be an important topic worldwide. EMA- European Medicines Agency have published a new Manufacturing guidance (GMP) to ensure data integrity that covers the data related to the data generated in the process of testing, manufacturing, packaging, distribution and monitoring of medicines.
Read more:
Japan
Open allAct on the Protection of Personal Information (APPI)
The Act on the Protection of Personal Information (APPI) is the primary legislation dealing with personal data in Japan.
The APPI applies to all business operators (individuals and entities) that handle personal information. The APPI also distinguishes between personal information and personal data (which the APPI defines as personal information that constitutes part of a personal information database). Obligations on business operators vary depending on whether the business operators acquire, use, or provide, personal information or personal data.
AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.
Singapore
Open allPersonal Data Protection Act 2012 (PDPA)
The Personal Data Protection Act 2012 (PDPA) is the law that applies to the protection of personal data in Singapore, including when the personal data is transferred internationally for processing. The PDPA governs the collection, use, disclosure and protection of personal data.
AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.
AWS supports many healthcare organizations globally by providing the technology needed to move at the speed necessary to have an impact—from using medical data-sharing to diagnose previously unknown diseases, to identifying new viruses to prevent another pandemic, and many other critical functions—all while enabling customers to meet the highest security and compliance requirements. As one example, the Integrated Health Information Systems (IHiS) in Singapore, the agency responsible for supplying the enabling technologies that power Singapore public healthcare, turned to AWS to securely scale its vaccination operations IT systems to sustain significantly higher loads at very short notice, from an initial load of 8,000 daily vaccinations to a peak of 80,000 daily vaccinations within
four weeks.