Healthcare

HIPAA-aligned AWS architecture, built in — not bolted on.

Healthcare workloads on AWS have to clear a higher bar: PHI handling under a Business Associate Addendum (BAA), encryption at rest and in transit by default, audit trails that survive litigation, and uptime that survives a real clinical workflow. We build environments where the architecture generates its own compliance evidence — instead of evidence being assembled after the fact from policy documents.

The healthcare-on-AWS reality

  • AWS will sign a BAA — but only certain services are HIPAA-eligible. Knowing the boundary matters.
  • PHI must be encrypted at rest with customer-managed keys and audited via CloudTrail Data Events
  • Network isolation via VPC, PrivateLink, and explicit egress controls — not relying on IAM alone
  • HITRUST and SOC 2 evidence collection drives logging, retention, and access review patterns
  • Clinical SLAs make real RTO/RPO targets non-negotiable — designs need to assume failures
  • FHIR, HL7v2, and DICOM are still the lingua franca — integration depth matters

The BAA boundary

Not every AWS service is HIPAA-eligible. We design architectures that keep PHI inside the BAA scope by default — and make it hard to accidentally land it outside.

SCPs prevent the use of non-eligible services in PHI accounts. Macie scans for stray PHI in S3. KMS keys are scoped per workload, not shared.

Where we plug in

Payers

Insurance and claims platforms

Claims ingestion pipelines, EHR integrations via FHIR/HL7v2, member portals, and underwriting data platforms. Workloads that have to stay up during open enrollment without leaking PHI across tenant boundaries.

Providers

Clinical and patient-facing systems

Telehealth platforms, patient portals, clinical decision support, and EHR data warehouses. Where milliseconds matter, audit trails are forensic, and an outage is a clinical event — not a marketing problem.

The healthcare stack we build with

  • HealthLake for FHIR-native data lakes and Comprehend Medical for clinical NLP
  • KMS with customer-managed keys for every PHI-touching workload; key rotation and grants audited
  • Macie for PHI/PII detection across S3; GuardDuty for runtime threat detection
  • CloudTrail Data Events + Lake for the audit-trail depth HITRUST and SOC 2 reviews expect
  • AWS Organizations + Control Tower with SCPs enforcing HIPAA-eligible services only
  • API Gateway + Lambda + Step Functions for FHIR/HL7 transformation pipelines

HIPAA work doesn't have to be slow.

Most healthcare AWS environments accumulate compliance complexity because nobody designed for it from day one. We fix that — with the BAA scope intact.

Start a Conversation