Build HIPAA compliant architecture for your healthcare product

Yogesh S
3 min readMar 19, 2021

Healthcare is one of the most important industries in the startup ecosystem in the World. But what makes Healthcare startups so important? The ability to make a potential impact on people's health and obviously its market size. Healthcare startups who are using technology to make an impact on people's health have to comply with US healthcare laws. One such law is HIPAA which takes care of patient data privacy and security.

Is AWS HIPAA certified?

No. There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800–53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800–66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800–53 aligns with the HIPAA Security Rule.

So how do we make a HIPAA compliant architecture?

Data Privacy

The healthcare sector has very strict rules in order to keep patient information safe, as they say, Data is the new oil, and with increased security threats looming over the internet, it has become extremely important to safeguard any critical information. It is also very important for the users of your product to feel their private information is safe with you.

Business Associate Agreement

Before moving to or storing information on AWS, it is very important that you get a BAA after contacting AWS so that you can store, the process transmits Protect Health Information (PHI). For more information on BAA, click here.

Role-based Access Control

For any System Security Plan (SSP) it is very important that Role-Based Access Control is documented as it is one of the important ways to make the HIPAA eligible system. Authentication and Authorization system prevents any unauthorized access to the data, which basically means a user has control over who can see their information until shared with someone. AWS has an IAM system that prevents unauthorized access to data.

Encrypted Database

The easiest way to leak someone's data is by getting through a database especially when it not encrypted, and the easiest way to prevent this is by using Amazon RDS. It is very important to understand that access to the database should always through the application and any sensitive PHI should be encrypted.

For additional discussion on Amazon RDS encryption mechanisms, please refer back to the whitepaper.

Backup and Restore

Until now you have learned how to keep your data secure but you still have to keep it safe with you. AWS RDS provides a Backup and Restore mechanism to back up the last stable set of data that can be restored in case of any mishap. It is very important to be vigilant about your patient’s data and you need not worry as AWS provides such mechanisms out of the box. You can use AWS S3 to store the backup files but make sure they are encrypted and not available for public use.

Identity and Authentication

Have a centralized identity directory for all internal users, this will help you manage access granted to each internal user of the system. Follow simple techniques to block multiple unsuccessful authentication attempts, MFA’s and manage default passwords.

Access Control

Manage what data do you share with 3rd party services and how often you run checks to find unused services and steps to take remove them.

Auditing & Logging

Refrain from logging critical user information and manage access to application logs.

Security Awareness and Planning

Most importantly make sure the developers get constant security awareness training, to help them follow proper security norms in the code.

Connect with us

If you want more info or help regarding how to build a secure system. Or if you are looking for a team to help you build a secure product architecture and system. Please feel free to contact us at or visit our website:



Yogesh S

A technology company focused at delivering market leading and reliable technology products.