AWS HIPAA Compliance Cost in 2026

The AWS Business Associate Addendum is free. The cost of HIPAA on AWS is in restricting workloads to the HIPAA-eligible services subset, deploying the KMS + CloudTrail + Config + GuardDuty + WAF security baseline, and operating an audit-ready architecture. Three representative workload patterns: $400 to $1,500 per month for a small SaaS workload, $4,000 to $15,000 per month for a mid-size digital health company, $25,000 to $250,000+ per month for an enterprise EHR data lake. This page walks through the BAA mechanics, the HIPAA-eligible service constraint, the security tooling baseline, and the three workload-pattern cost decompositions.

Small SaaS

$400 - $1.5K/mo

Web app + RDS + S3

Mid-Size Digital Health

$4K - $15K/mo

Multi-tenant SaaS + analytics

Enterprise EHR Data Lake

$25K - $250K+/mo

Redshift + S3 + HealthLake

The AWS BAA mechanics

AWS publishes the Business Associate Addendum through AWS Artifact. Acceptance is a self-service workflow: navigate to AWS Artifact in the AWS Management Console, locate the AWS Business Associate Addendum, review the terms, and accept. AWS executes the BAA automatically. The BAA is free and does not require negotiation for the standard form.

Customers needing a negotiated BAA form (uncommon but sometimes required by enterprise legal teams) can engage AWS through the standard contracting process; AWS will typically engage but the negotiated path takes 6 to 12 weeks versus the immediate online acceptance of the standard form. For the vast majority of customers, the standard online BAA is appropriate.

The BAA covers AWS's obligations as a business associate under HIPAA. Specifically, AWS commits to implementing administrative, physical, and technical safeguards under the Security Rule for the in-scope services, breach notification under 45 CFR 164.410, and use and disclosure of PHI only as permitted by the BAA and the Privacy Rule. The BAA scope is restricted to the HIPAA-eligible service list; using a non-eligible service with PHI is a contractual breach and a compliance violation.

This is an informational cost reference, not legal or compliance advice. Consult a cloud-compliance attorney or HIPAA-qualified compliance professional before architecting a HIPAA workload on AWS.

The HIPAA-eligible service constraint

The AWS HIPAA Eligible Services Reference lists the services that may be used to store, process, or transmit ePHI under the AWS BAA. As of 2026 the list includes 130+ services covering compute (EC2, ECS, EKS, Fargate, Lambda), storage (S3, EBS, EFS, FSx, Glacier), databases (RDS for most engines, Aurora, DynamoDB, DocumentDB, Neptune, MemoryDB, Redshift, Timestream), analytics (Glue, EMR, Kinesis, MSK, OpenSearch, QuickSight, Athena), AI/ML (SageMaker, Bedrock, Comprehend Medical, Transcribe Medical, Textract Medical, Translate, Polly), healthcare-specific (HealthLake, HealthOmics, HealthImaging), networking (VPC, Direct Connect, Transit Gateway, API Gateway, ELB), security (IAM, KMS, Secrets Manager, WAF, Shield, GuardDuty, Inspector, Macie, Detective, Security Hub, Network Firewall), and management (CloudWatch, CloudTrail, Config, Systems Manager, Organizations).

Services not on the list cannot legally process ePHI under the BAA. The HIPAA-relevant architecture work:

Use AWS Organizations with Service Control Policies (SCPs) to block deployment of non-eligible services in BAA-protected accounts.
Tag all PHI-bearing resources with a standardized PHI-classification tag for ongoing audit.
Document the architecture in a security overview that maps each service to its HIPAA-eligibility status and to the data flows it handles.
Set up an exception workflow for the rare case where a non-eligible service genuinely needs PHI access (almost always the answer is to wait for eligibility or to use a different service).

AWS adds services to the eligibility list periodically; check the published reference before assuming a service is eligible. The list has been remarkably stable in expansion but never contraction; once a service is added, it stays.

The three workload patterns priced

Pattern 1: Small SaaS healthcare startup. Single-account or small-organization AWS footprint. ECS Fargate web app (2 to 8 vCPU, 4 to 16 GB memory baseline), RDS PostgreSQL or MySQL (db.t4g.medium or similar, 100 to 500 GB storage), S3 file storage (100 GB to 5 TB), modest CloudFront, Route 53, ACM. Security tooling: KMS for at-rest encryption, CloudTrail single trail, GuardDuty basic, Config tracking 50 to 200 resources, Inspector occasional, WAF on the public ALB.

Triangulated monthly cost: $400 to $1,500. Of that, compute is roughly $150 to $400, storage $50 to $200, database $200 to $400, data transfer $20 to $100, and the security tooling baseline $80 to $400.

Pattern 2: Mid-size digital health company. Multi-account AWS Organization, multi-AZ production architecture. ECS or EKS cluster (20 to 100 vCPU, dedicated worker nodes), Aurora PostgreSQL Multi-AZ (db.r6g.large to db.r6g.2xlarge, 500 GB to 5 TB storage), S3 multi-bucket data architecture (10 to 100 TB), Glue ETL jobs, Athena queries, modest SageMaker inference endpoints, CloudFront with WAF, Route 53, ACM, comprehensive VPC peering and Transit Gateway. Security tooling: KMS multi-key with annual rotation, CloudTrail multi-account with central logging, GuardDuty across all accounts, Config comprehensive evaluation, Security Hub central dashboard, Inspector enterprise, Macie for S3 classification, WAF on production ALBs, Network Firewall.

Triangulated monthly cost: $4,000 to $15,000. Of that, compute is roughly $1,500 to $6,000, storage and database $1,000 to $4,000, data transfer $300 to $1,500, security tooling $1,200 to $3,500.

Pattern 3: Enterprise EHR data lake. Multi-account AWS Organization with dedicated PHI-segregated accounts. Redshift cluster (ra3.xlplus or ra3.4xlarge, 10 to 100 nodes), S3 data lake (1 PB+), EMR or Glue ETL at scale, HealthLake or comparable FHIR store, SageMaker training and inference at scale, DataZone or Lake Formation governance, AWS Clean Rooms for cross-organization analysis. Security tooling: enterprise CloudTrail with anomaly detection, GuardDuty with custom threat intel, Macie at scale, Detective for incident investigation, AWS Backup with cross-region replication, Audit Manager for continuous compliance evidence.

Triangulated monthly cost: $25,000 to $250,000+. The variance is driven mostly by storage and analytics workload volume; the security tooling baseline runs $15,000 to $80,000 per month at this scale.

Security tooling baseline cost

The HIPAA security stack on AWS at minimum:

Service	Role	Pricing model
KMS	Customer-managed encryption keys	$1/key/mo + API calls
CloudTrail	Management-plane audit logging	First trail free; data events extra
Config	Resource-configuration tracking	$0.003 per config item
GuardDuty	Threat detection	Per log volume
Security Hub	Compliance dashboard	Per finding + per check
WAF	Application-layer firewall	$5/ACL/mo + per request
Inspector	Vulnerability scanning	$0.30/EC2 scan
Macie	S3 sensitive-data classification	Per GB processed

All prices are from the AWS public pricing pages and reflect us-east-1 list pricing; regional variation, savings plans, and Enterprise Discount Programs (EDP) can adjust effective pricing meaningfully at scale. The pricing model is API-call and resource-volume driven, which means the security tooling cost grows roughly linearly with the workload size. Reference: AWS Pricing.

Common AWS HIPAA budget mistakes

Mistake 1: Spinning up a workload before accepting the BAA. Until the BAA is accepted, no AWS service is in BAA scope. Workloads launched before BAA acceptance technically processed PHI outside the BAA, even if subsequently moved into BAA-scoped accounts. The fix is to accept the BAA on day zero before any PHI is loaded.

Mistake 2: Using non-eligible services with PHI. Easy to do during development when a developer reaches for the most convenient service rather than the most appropriate one. SCPs that block non-eligible service spin-up in BAA-protected accounts prevent this at the architecture level.

Mistake 3: Default S3 encryption only. Default S3 encryption uses an AWS-managed key. For HIPAA-grade auditability, use customer-managed keys (CMK) through KMS, which provides key rotation control and per-key access logging in CloudTrail.

Mistake 4: Single AWS account for everything. A multi-account AWS Organization with separate accounts for production, staging, security, logging, and shared services is the recommended pattern. Single-account architectures are harder to audit and harder to isolate after an incident. AWS Control Tower or AWS Organizations with custom setup makes the multi-account pattern accessible.

AWS HIPAA cost FAQ

Does AWS charge for the HIPAA BAA?

No. The AWS Business Associate Addendum is free and is executed online through AWS Artifact. Every AWS customer can accept the BAA without an additional contract or fee. The cost of HIPAA on AWS is not in the BAA itself; it is in restricting your workload to the HIPAA-eligible service subset and in adding the security and audit tooling required to meet the Security Rule.

What is the HIPAA-eligible services list?

AWS publishes the HIPAA Eligible Services Reference at aws.amazon.com/compliance/hipaa-eligible-services-reference. As of 2026 the list includes 130+ services including EC2, S3, RDS (most engines), DynamoDB, Lambda, EBS, EFS, FSx, Glue, EMR, Kinesis, Redshift, SageMaker, Bedrock, Comprehend Medical, Transcribe Medical, HealthLake, HealthOmics, and many others. Services not on the list (Amplify Studio, some preview-tier services, some regional services in specific Regions) cannot legally process or store ePHI under the AWS BAA. The compliance work is in workload architecture: build only with HIPAA-eligible services, set up automated guardrails that prevent non-eligible service spin-up in the BAA-protected accounts, and document the architecture for audit.

How much does HIPAA on AWS cost for a typical workload?

Three representative workload archetypes anchor the cost discussion. A small SaaS healthcare startup workload (web app on ECS, RDS MySQL, S3 file storage, modest traffic) on the HIPAA-eligible AWS subset runs $400 to $1,500 per month inclusive of compute, storage, KMS, CloudTrail, GuardDuty, Config, and modest data transfer. A mid-size digital health company workload (multi-tenant SaaS, ECS or EKS, Aurora PostgreSQL, S3, modest analytics on Glue + Athena) runs $4,000 to $15,000 per month. An enterprise EHR data lake workload (Redshift cluster, S3 data lake, EMR or Glue ETL, HealthLake or comparable FHIR store, SageMaker inference, multi-account organization) runs $25,000 to $250,000+ per month. The HIPAA-specific incremental cost above a non-HIPAA equivalent workload is typically 10 to 25 percent.

What HIPAA-relevant security tooling do I need on AWS beyond the BAA?

The baseline HIPAA security stack on AWS at minimum: AWS KMS for customer-managed encryption keys ($1 per key per month plus $0.03 per 10,000 API calls), CloudTrail for management-plane audit logging (first trail free in each region; data events extra), AWS Config for resource configuration tracking ($0.003 per evaluated config item), GuardDuty for threat detection (variable by log volume, typically $50 to $5,000 per month for a moderate-size organization), Security Hub for compliance dashboarding (small additional cost), AWS WAF for application-layer protection if exposing web apps ($5 per ACL per month plus per-request charges), and Inspector for vulnerability scanning ($0.30 per EC2 instance scan, $0.09 per Lambda function scan). Larger organizations add AWS Macie for S3 data classification, AWS Detective for incident investigation, and AWS Backup with cross-region replication. Triangulated monthly cost of the security stack alone is $300 to $5,000 for small workloads, $2,000 to $25,000 for mid-size, $15,000 to $80,000 for enterprise.

Does AWS handle HIPAA compliance for me?

No, AWS operates under the shared responsibility model. AWS is responsible for the security of the cloud (the underlying infrastructure, physical data centers, hypervisor, network, hardware lifecycle). The customer is responsible for security in the cloud (the workload architecture, identity and access management, data encryption configuration, network configuration, application security, and operational practices). The HIPAA BAA defines what AWS will do as a business associate; the bulk of the Security Rule control implementation is the customer's. AWS publishes the AWS Security Documentation Library and the HIPAA Implementation Guide that walks through how the shared-responsibility split works for each major service. Read these carefully before architecting a HIPAA workload.

What is the budget impact of building wrong and re-architecting?

Significant. The most expensive mistake digital health teams make on AWS is launching a workload across non-HIPAA-eligible services and discovering during a customer-diligence review that the architecture cannot pass a hospital security questionnaire. Re-architecting from a non-compliant baseline typically costs 3 to 8 weeks of engineering time plus AWS-Professional-Services or specialty-consultancy support ($30,000 to $150,000 typical engagement), plus the opportunity cost of delayed customer onboarding. Building correctly from the start is dramatically cheaper.

How does HITRUST CSF certification on AWS work?

AWS publishes HITRUST CSF assessment results that customers can inherit for parts of their own HITRUST assessment. The inherited controls cover the infrastructure layer; the customer still needs to implement and demonstrate the application-layer and operational-layer controls. The cost saving from inheritance is significant (typically 20 to 35 percent of HITRUST assessment cost) but the customer-side HITRUST cost remains substantial: $40,000 to $200,000 for r2 (validated) assessment depending on scope. HITRUST is worth pursuing for digital health companies that sell to hospital customers requiring HITRUST as part of vendor onboarding; most top-50 US health systems require it.

Related cost guides

Azure HIPAA Cost

Microsoft cloud comparison

GCP HIPAA Cost

Google Cloud comparison

Digital Health Startup Cost

Seed to Series A HIPAA pricing

Business Associate Agreements

BAA scope, cost, and red flags

Business Associate Guide

BAA execution and scope

2026 Security Rule Changes

Cloud-architecture impact