Important: This Is Engineering Guidance, Not Legal Advice
HIPAA compliance requires legal counsel. This article covers the technical safeguards that HIPAA requires and how we implement them in production healthcare applications.
Who Needs to Comply
HIPAA applies to Covered Entities and their Business Associates — any vendor that creates, receives, maintains, or transmits Protected Health Information on their behalf. If you are building healthcare SaaS, you are almost certainly a Business Associate and need a signed Business Associate Agreement with every covered entity customer.
Required Technical Safeguards
Access control: Unique user identification — shared accounts are non-compliant. Automatic logoff after configurable inactivity period. All PHI encrypted at rest (AES-256 minimum) and in transit (TLS 1.2 minimum, TLS 1.3 preferred).
Audit controls: Structured logging of every PHI access event: user ID, timestamp, IP address, and specific action taken. Log retention minimum 6 years. Logs must be tamper-evident — S3 Object Lock with Governance mode satisfies this requirement.
AWS and the BAA
AWS will sign a HIPAA Business Associate Agreement covering specific eligible services — S3, RDS, ECS, Lambda, CloudWatch Logs among them. Using a non-BAA-eligible AWS service to handle PHI is a compliance violation regardless of your encryption configuration. Review the current AWS HIPAA-eligible services list before using any service that will touch PHI.