The AWS Shared Responsibility Model Explained for HIPAA Compliance

Executive Summary

Small healthcare practices increasingly rely on Amazon Web Services (AWS) for secure data storage and processing of Protected Health Information (PHI). Under the HIPAA Security Rule, specifically 45 CFR 164.308 (Administrative Safeguards) and 45 CFR 164.312 (Technical Safeguards), both AWS and its customers share compliance responsibilities. The AWS Shared Responsibility Model makes clear that while AWS manages the security of the cloud infrastructure, practices must configure and manage their data securely within it. For small practices with limited budgets, understanding this model is critical to avoid violations, penalties, and reputational harm.

Introduction

Cloud computing offers affordability and scalability for small healthcare practices, but compliance with HIPAA is non-negotiable. The AWS Shared Responsibility Model divides obligations between AWS (as a business associate) and covered entities (small practices). Under HIPAA’s Security Rule at 45 CFR 164.308 and 45 CFR 164.312, practices remain legally accountable for PHI even when outsourcing infrastructure. This means misconfigurations, weak access controls, or lack of risk assessments remain the responsibility of the practice, not AWS. For practices managing under 30 employees, clear understanding of this division ensures compliance without unnecessary expense.

Understanding the AWS Shared Responsibility Model Under 45 CFR 164.308 and 164.312

Understanding the AWS Shared Responsibility Model Under 45 CFR 164.308 and 164.312

The AWS Shared Responsibility Model states:

  • AWS Responsibility (Security “of” the Cloud): AWS is responsible for physical data center security, network infrastructure, and managed service layers. This includes securing hardware, facilities, and virtualization components.

  • Customer Responsibility (Security “in” the Cloud): Covered entities must configure applications, access controls, encryption, and monitoring to ensure compliance with HIPAA requirements.

How this aligns with HIPAA Security Rule provisions:

  • 164.308(a)(1)(ii)(A) – Risk Analysis: Practices must analyze risks to PHI stored in AWS environments.

  • 164.308(a)(4) – Access Control: Customers must configure role-based permissions to limit PHI access (45 CFR 164.308(a)(4)(ii)(B) – Workforce clearance procedure)

  • 164.312(a)(2)(iv) – Encryption: AWS provides encryption tools, but practices must enable them for PHI at rest.

  • 164.312(b) – Audit Controls: Practices must activate and review AWS Cloud Trail and logging services.

  • 164.308(a)(7) – Contingency Planning: Backups and recovery strategies must be configured by the practice.

Understanding these rules ensures practices don’t assume AWS automatically makes them HIPAA-compliant.

The OCR’s Authority in the AWS Shared Responsibility Model

The OCR’s Authority in the AWS Shared Responsibility Model

The Office for Civil Rights (OCR) enforces HIPAA compliance across all cloud implementations. OCR can launch audits or investigations when:

  • Complaints are filed about unauthorized PHI exposure in cloud storage.

  • Breach reports involve misconfigured AWS buckets exposing patient data.

  • Random audits identify missing BAAs or weak encryption settings.

OCR has clarified that covered entities cannot outsource responsibility. Even when AWS provides a signed BAA, practices are liable if their internal security controls under 45 CFR 164.308 and 164.312 are inadequate.

Step-by-Step Compliance Guide for Small Practices

Step 1: Sign a Business Associate Agreement (BAA) with AWS

  • AWS offers a HIPAA-eligible BAA under certain services.

  • Ensure all workloads involving PHI use only AWS HIPAA-eligible services.

Step 2: Conduct a Security Risk Analysis

  • Identify risks of misconfigured AWS resources (45 CFR 164.308(a)(1)(ii)(B) – Risk Management).

  • Document vulnerabilities, such as publicly exposed S3 buckets or unencrypted PHI.

Step 3: Configure Access Controls

  • Implement least-privilege permissions using AWS Identity and Access Management (IAM).

  • Require Multi-Factor Authentication (MFA) for all administrative accounts.

Step 4: Enable Encryption

  • Activate server-side encryption for S3 and use AWS Key Management Service (KMS).

  • Ensure PHI in transit is secured with TLS protocols (45 CFR 164.312(a)(2)(iv) – Encryption and decryption).

Step 5: Activate Audit Logging

  • Enable AWS Cloud Trail and CloudWatch to log and monitor access to PHI 45 CFR 164.308(a)(1)(ii)(D) – Information system activity review).

  • Review logs monthly and document corrective actions.

Step 6: Maintain Contingency Planning

  • Configure AWS backup solutions and test data recovery at least twice per year (45 CFR 164.308(a)(7)(ii)(A) – Data Backup Plan; 164.308(a)(7)(ii)(B) – Disaster Recovery Plan).

  • Document recovery procedures in your HIPAA security policies.

These steps allow small practices to align AWS cloud usage with HIPAA safeguards while keeping costs manageable.

Case Study

A small pediatric clinic migrated patient billing records to AWS S3, but left the bucket publicly accessible without encryption. The exposure was discovered after a patient complaint, leading to an OCR investigation. Although AWS had provided a signed BAA and secured its infrastructure, the clinic had not configured access restrictions or conducted a risk analysis. OCR fined the clinic $150,000 and required a corrective action plan that included enabling encryption, implementing MFA, and training staff.

This case highlights the Shared Responsibility Model: AWS secured the cloud infrastructure, but the clinic failed to secure its PHI “in” the cloud, resulting in legal and financial consequences.

Simplified Self-Audit Checklist for the AWS Shared Responsibility Model

Task

Responsible Party

Timeline

CFR Reference

Sign AWS HIPAA BAA

Practice Owner

Before storing PHI

164.308(b), 164.502(e)

Conduct risk analysis of AWS environment

Compliance Officer

Annually

164.308(a)(1)(ii)(A)

Configure IAM roles and MFA

IT Lead

Immediately

164.308(a)(4), 164.312(d)

Enable encryption for PHI (at rest and in transit)

IT Lead

Ongoing

164.312(a)(2)(iv), 164.312(e)(2)(ii)

Enable and review audit logging (Cloud Trail, CloudWatch)

Compliance Officer

Monthly

164.312(b)

Test disaster recovery plan with AWS backups

IT Lead

Semi-annually

164.308(a)(7)

Train staff on AWS HIPAA policies

Office Manager

Annually

164.308(a)(5)
Common Pitfalls to Avoid Under 45 CFR 164.308 and 164.312

Common Pitfalls to Avoid Under 45 CFR 164.308 and 164.312

Small practices often fall into avoidable mistakes when using AWS for HIPAA workloads:

  • Assuming AWS alone ensures compliance: Without customer-side safeguards, OCR still considers the practice noncompliant.

  • Not enabling encryption: Leaving PHI unencrypted violates 164.312(a)(2)(iv).

  • Weak IAM configuration: Overly broad permissions expose PHI unnecessarily.

  • Ignoring audit logs: Failure to monitor Cloud Trail logs violates 164.312(b).

  • Skipping risk analyses: Without documented analysis, practices cannot demonstrate compliance under 164.308(a)(1).

Avoiding these pitfalls ensures both legal compliance and strong data security.

Best Practices for the AWS Shared Responsibility Model Compliance

To strengthen compliance, small practices should:

  • Use only AWS HIPAA-eligible services covered by the BAA.

  • Automate compliance monitoring with AWS Config Rules.

  • Implement regular penetration testing and vulnerability scans.

  • Assign a compliance lead to oversee AWS configuration and documentation.

  • Document all AWS configurations as part of your HIPAA Security Management Process.

These practices are affordable and scalable for small healthcare organizations.

Building a Culture of Compliance Around the AWS Shared Responsibility Model

Integrating AWS compliance into practice culture requires ongoing engagement:

  • Staff Training: Train staff on AWS-specific HIPAA risks and responsibilities.

  • Policy Integration: Document AWS configurations and link them to HIPAA safeguards.

  • Leadership Oversight: Assign leadership to review compliance reports quarterly.

  • Continuous Improvement: Encourage feedback and update cloud practices after incidents or audits.

Embedding compliance into daily operations helps ensure AWS cloud adoption enhances security rather than introducing vulnerabilities.

Concluding Recommendations, Advisers, and Next Steps

The AWS Shared Responsibility Model makes it clear: AWS secures the infrastructure, but healthcare practices remain responsible for securing PHI “in” the cloud. For small practices, aligning cloud usage with HIPAA requirements under 45 CFR 164.308 and 164.312 is achievable through careful configuration, documentation, and training.

Advisers

Affordable and practical resources for small practices include:

  • HHS Security Risk Assessment Tool: Free software to guide annual risk analyses.

  • OCR Guidance on Cloud Computing: Provides official expectations for HIPAA compliance in cloud environments.

  • AWS Artifact: Free compliance documentation service that provides AWS security certifications.

  • Low-cost compliance software like Compliancy Group or HIPAA One: Helps track BAAs, risk assessments, and policies.

These tools allow small practices to meet compliance obligations while optimizing costs.

To further strengthen your compliance posture, consider using a compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.

Official References

Compliance should never get in the way of care.

See how we fixed it

Compliance Assessment Score