reference deployment

HIPAA Reference Architecture on AWS

Deploy a cloud architecture that helps support your HIPAA-compliance program

This solution is for people in the healthcare industry who want to to run workloads on the Amazon Web Services (AWS) Cloud within the scope of the U.S. Health Insurance Portability and Accountability Act (HIPAA).

The security controls matrix shows how solution architecture decisions, components, and configurations map to HIPAA regulatory requirements.

This solution is part of a set of AWS compliance offerings, which provide security-focused architectures to help managed service providers, cloud-provisioning teams, developers, integrators, and information-security teams follow strict security, compliance, and risk-management controls.

Note: Deploying this solution does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

This solution was developed by AWS.

  •  What you'll build
  • This solution sets up the following:

    • A highly available architecture that spans two Availability Zones.
    • Three virtual private clouds (VPCs): management, production, and development. The VPCs are configured with subnets, according to AWS best practices, to provide you with your own virtual network on AWS.
    • In the management VPC:
      • An internet gateway, which serves as a highly available centralized point of egress for internet traffic.
      • Public subnets that include managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
      • Private subnets for deploying your security and infrastructure controls.
      • Flow logs for auditing.
    • In the production VPC:
      • Private subnets for deploying your production workloads.
      • Flow logs for auditing.
    • In the development VPC:
      • Private subnets for deploying your development workloads.
      • Flow logs for auditing.
    • AWS Transit Gateway for VPC-to-VPC communication and customer connectivity.
    • For logging and audit controls:
      • Amazon CloudWatch for metric monitoring and threshold alarms. This service delivers flow logs to an Amazon Simple Storage Service (Amazon S3) bucket.
      • AWS Config with the conformance pack for HIPAA, maps HIPAA controls to AWS configuration items. This service delivers flow logs to an S3 bucket.
      • AWS CloudTrail for AWS access logging. This service delivers flow logs to an S3 bucket.
    • For customer connectivity:
      • AWS Site-to-Site VPN or AWS Direct Connect to connect with AWS Transit Gateway.
    • For access control and alerting:
      • Amazon Simple Notification Service (Amazon SNS) for sending email alerts from alarms.
      • AWS Identity and Access Management (IAM) for access control and authorization.
  •  How to deploy
  • Before you deploy this HIPAA solution using protected health information (PHI), you must accept the AWS Business Associate Addendum (BAA) and configure your AWS account as required by the BAA.

    To deploy this solution, follow the instructions in the deployment guide, which includes these steps.

    1. Sign in to your AWS account. If you don’t have an AWS account, sign up at
    2. Launch the solution. The stack takes about 15 minutes to deploy. Before you create the stack, choose the AWS Region from the top toolbar.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?