HIPAA Compliant Infrastructure

Not every cloud service is covered by a Business Associate Agreement. We architect your stack using only BAA-eligible services: RDS for databases, S3 for storage, ECS/EKS for compute, CloudWatch for logging, and KMS for encryption. Services without BAA coverage (some managed ML services, certain analytics tools) are isolated from PHI data flows. We document the BAA-covered architecture for your compliance officer and auditor.

All PHI is encrypted at rest with AES-256 via KMS customer-managed keys and in transit with TLS 1.3. Database-level encryption, EBS volume encryption, and S3 bucket encryption are enforced via SCP policies — no unencrypted resource creation is possible. Access to PHI requires MFA, role-based IAM policies, and break-glass procedures for emergency access. Every PHI access event is logged with user identity, timestamp, and data accessed.

HIPAA requires recording and examining activity in systems containing PHI. We configure: CloudTrail for infrastructure-level audit trails, application audit logs for PHI access events, database activity streams for query logging, and network flow logs for traffic analysis. Logs are stored in a separate, restricted account with 6-year retention (HIPAA minimum). Log integrity is verified with hash chains. SIEM integration enables real-time alerting on suspicious access patterns.

HIPAA requires breach notification within 60 days. We implement automated breach detection: anomaly detection on PHI access patterns, alerts on bulk data exports, failed login monitoring, and unauthorized access attempt tracking. GuardDuty and Security Hub provide threat detection at the infrastructure layer. When a potential breach is detected, automated response isolates the affected system and captures forensic evidence while alerting the incident response team.