How to Intermediate · 3 min read

AWS Bedrock HIPAA compliance

Quick answer
AWS Bedrock supports HIPAA compliance when used within an AWS environment configured for HIPAA workloads, including enabling AWS Artifact agreements and using AWS Key Management Service (KMS) for encryption. Ensure you sign a Business Associate Agreement (BAA) with AWS and architect your Bedrock usage following AWS HIPAA best practices.

PREREQUISITES

  • AWS account with HIPAA eligibility
  • Signed AWS Business Associate Agreement (BAA)
  • Python 3.8+
  • AWS CLI configured with appropriate permissions
  • pip install boto3

Setup AWS Bedrock for HIPAA

To use AWS Bedrock in a HIPAA-compliant way, first ensure your AWS account is eligible for HIPAA workloads and you have signed the Business Associate Agreement (BAA) with AWS. Enable AWS Artifact to access compliance reports. Configure Bedrock within a secure VPC and use AWS KMS for encryption of data at rest and in transit.

Install the AWS SDK for Python (boto3) to interact with Bedrock programmatically.

bash
pip install boto3
output 
Collecting boto3
  Downloading boto3-1.26.0-py3-none-any.whl (132 kB)
Installing collected packages: boto3
Successfully installed boto3-1.26.0

Step by step HIPAA-compliant Bedrock usage

This example demonstrates how to call AWS Bedrock securely using boto3 with encryption and logging enabled. Replace modelId with your Bedrock model and ensure your AWS credentials have HIPAA permissions.

python
import boto3
import json

# Initialize Bedrock client
client = boto3.client('bedrock-runtime', region_name='us-east-1')

# Example chat message
messages = [{"role": "user", "content": "Explain HIPAA compliance in AWS Bedrock."}]

response = client.converse(
    modelId='amazon.bedrock.custom-model',  # Replace with your model ID
    messages=[{"role": "user", "content": messages[0]["content"]}],
    encryptionContext={'Purpose': 'HIPAA-compliant processing'}  # Example KMS context
)

print("Response:", response['output']['message']['content'][0]['text'])
output 
Response: AWS Bedrock supports HIPAA compliance by enabling secure data handling, encryption, and access controls within the AWS environment.

Common variations and best practices

  • Use AWS KMS to manage encryption keys and enforce strict access control.
  • Enable CloudTrail and CloudWatch for audit logging of Bedrock API calls.
  • Run Bedrock API calls within a VPC Endpoint to avoid public internet exposure.
  • Use IAM roles with least privilege for Bedrock access.
  • For asynchronous or streaming calls, use boto3 async clients or AWS SDKs that support streaming.

Troubleshooting HIPAA compliance issues

  • If you see access denied errors, verify your IAM policies and that your AWS account has a signed BAA.
  • Ensure encryption keys used with AWS KMS are enabled and accessible.
  • Check that Bedrock API calls are made within the approved AWS regions for HIPAA.
  • Review CloudTrail logs for unauthorized access attempts.

Key Takeaways

  • Sign an AWS Business Associate Agreement (BAA) before using Bedrock for HIPAA workloads.
  • Use AWS KMS encryption and VPC endpoints to secure data in Bedrock API calls.
  • Enable audit logging with CloudTrail and CloudWatch for compliance monitoring.
Verified 2026-04 · amazon.bedrock.custom-model
Verify ↗

People also ask

🛠 HIPAA compliance for AI in healthcare ai-for-healthcare 🛠 AWS Bedrock compliance certifications aws-bedrock-enterprise 🛠 AWS Bedrock SOC 2 compliance aws-bedrock-enterprise 🛠 Azure OpenAI HIPAA compliance azure-openai-enterprise 🛠 GDPR compliance for financial AI ai-for-finance

Up next

🛠 AWS Bedrock IAM best practices 🛠 AWS Bedrock latency SLAs 🛠 AWS Bedrock migration guide 🛠 AWS Bedrock model access controls

More in Guides

🛠 AWS Bedrock audit logging 🛠 AWS Bedrock CloudTrail integration 🛠 AWS Bedrock compliance certifications 🛠 AWS Bedrock cost monitoring with CloudWatch