HIPAA Omnibus Rule 2013
Best for: Any covered entity or business associate that creates, receives, maintains, or transmits electronic protected health information (ePHI). This includes hospitals, health plans, healthcare clearinghouses, and their subcontractors. If you run infrastructure on AWS for a healthcare client, you are likely a business associate and must comply. There is no revenue or size threshold.
๐ U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) ยท HIPAA Omnibus Rule 2013 Official source โ
Get Started
module "..." {
source = "hipaa.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Logging and Monitoring: Runs 9 controls validating CloudTrail configuration across regions, S3 object-level event logging for both read and write operations, API Gateway stage logging, X-Ray tracing, and CloudFront access logs. These map directly to Section 164.312(b) audit control requirements.
- Encryption in Transit: Checks SSL certificate assignment on API Gateway stages, CloudFront HTTPS enforcement, and ACM certificate expiration within 30 days. Covers Section 164.312(e)(1) transmission security requirements for AWS-managed endpoints.
- Encryption at Rest: Validates encryption on API Gateway stage caches and AWS Backup recovery points. The full 50-control benchmark includes additional checks for S3, EBS, and RDS encryption not shown in the sample set.
- Backup and Contingency Planning: Enforces minimum 35-day retention on backup plans and recovery points, verifies encryption on recovery points, and confirms manual deletion is disabled. Maps to Section 164.308(a)(7) contingency plan requirements.
- Network Access Control: Confirms Auto Scaling launch configurations do not assign public IPs and that load-balanced Auto Scaling groups use health checks. Validates basic network isolation controls under Section 164.312(a)(1).
What you handle
- Audit Logging and Monitoring: Defining log retention periods, reviewing audit logs on a regular schedule, configuring alerts for suspicious access to ePHI, and documenting your log review procedures. You also need to ensure logs are protected from tampering per Section 164.312(c)(2).
- Encryption in Transit: Enforcing TLS minimum version policies (TLS 1.2 or higher), managing certificate rotation for non-ACM certificates, and encrypting ePHI transmissions that occur outside AWS (for example, SFTP to partners or email encryption).
- Encryption at Rest: KMS key access policies, key rotation schedules, documenting which encryption method applies to each data store, and managing encryption for on-premises or hybrid systems outside AWS.
- Backup and Contingency Planning: Testing restore procedures periodically, documenting your disaster recovery plan, maintaining an emergency mode operations plan, and confirming that your retention periods satisfy the 6-year HIPAA documentation requirement where applicable.
- Network Access Control: Implementing VPC segmentation for ePHI workloads, configuring security groups and NACLs, managing VPN or Direct Connect for administrative access, and documenting your network architecture in a data flow diagram.
Controls by Category
Audit Controls (Section 164.312(b)) (4 controls)
Section 164.312(b) requires hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. Assessors will want CloudTrail enabled across all regions with object-level logging on S3 buckets that store ePHI. The most common gap: CloudTrail active at the account level but data-plane events missing for S3 read and write operations, which leaves material holes in the access audit trail.
compliance.tf module At least one enabled trail should be present in a regionContingency Plan (Section 164.308(a)(7)) (1 control)
Do backup plans exist, are recovery points retained long enough, and can they be deleted before their retention period expires? Those three questions drive most 164.308(a)(7) findings. Retention policies must align to HIPAA's 6-year documentation requirement under 45 CFR 164.530(j), and manually deletable recovery points come up repeatedly in organizations that haven't thought through insider threat or ransomware scenarios.
Encryption at Rest (Section 164.312(a)(2)(iv)) (1 control)
The first thing an assessor examines is whether encryption is enabled by default, not applied retroactively after a finding. ePHI in caches, backups, databases, and object stores all need AES-256 or equivalent, and KMS key policies get scrutinized. Unencrypted backup recovery points are a persistent gap: organizations encrypt primary storage and miss the backup vault entirely.
Transmission Security (Section 164.312(e)(1)) (2 controls)
Every endpoint transmitting ePHI needs TLS enforcement, and assessors will check certificate validity, expiration dates, and whether plaintext HTTP is blocked or redirected. Expired ACM certificates are a frequent finding because automated renewal sometimes fails for imported or DNS-validated certificates that have lost their validation records.
compliance.tf module Additional Controls (96)
AWS CloudTrail (3)
AWS CodeBuild (1)
AWS Database Migration Service (1)
AWS IAM (8)
AWS KMS (1)
AWS Lambda (4)
compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module AWS Secrets Manager (1)
AWS WAF (1)
Amazon CloudWatch (2)
compliance.tf module Log group retention period should be at least 365 days compliance.tf module Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module Amazon DynamoDB Accelerator (1)
Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (6)
compliance.tf module EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon EKS (1)
Amazon EMR (1)
Amazon ElastiCache (1)
Amazon OpenSearch Service (4)
compliance.tf module OpenSearch domains should use HTTPS compliance.tf module OpenSearch domains should be in a VPC compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (14)
compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module RDS DB instances should have iam authentication enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (8)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (13)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Amazon VPC (1)
Elastic Load Balancing (7)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module Other (4)
Related Frameworks
Frequently Asked Questions
Does HIPAA apply to my organization if we only host infrastructure for a healthcare client but never view the data?
Yes. The 2013 Omnibus Rule extended HIPAA obligations directly to business associates, defined as any entity that creates, receives, maintains, or transmits ePHI on behalf of a covered entity. Hosting infrastructure that stores ePHI makes you a business associate even if your staff never access the data. You must sign a Business Associate Agreement (BAA) and comply with the applicable Security Rule provisions. AWS offers a BAA, but configuring your resources to meet HIPAA requirements stays with you.
Is there a HIPAA certification or audit report I can obtain?
No official HIPAA certification exists. Unlike PCI DSS or SOC 2, no accredited body issues a HIPAA compliance certificate. Compliance is typically demonstrated through internal risk assessments, third-party security assessments, and documentation. Some organizations pursue HITRUST CSF certification as a proxy, since HITRUST incorporates HIPAA requirements. OCR audits are investigatory, not certifying.
How does the Omnibus Rule change breach notification requirements compared to the original HITECH Act rules?
The Omnibus Rule replaced the 'significant risk of financial, reputational, or other harm' standard with a presumption that any impermissible use or disclosure of unsecured ePHI is a breach. The burden shifted to the covered entity to demonstrate a 'low probability that PHI has been compromised' using a four-factor risk assessment per 45 CFR 164.402, which makes the notification threshold lower and harder to avoid. Affected individuals must be notified within 60 days of discovery, and breaches involving 500 or more individuals require notification to OCR and local media outlets.
What are the penalties for non-compliance?
The Omnibus Rule adopted a four-tier penalty structure under 45 CFR 160.404. Tier 1 (lack of knowledge): $100 to $50,000 per violation. Tier 2 (reasonable cause): $1,000 to $50,000 per violation. Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation. Tier 4 (willful neglect, not corrected): $50,000 per violation. The annual cap per identical provision is $1.5 million, adjusted for inflation and currently above $2 million. Criminal penalties up to $250,000 and imprisonment apply under 42 USC 1320d-6.
How frequently should I run these automated controls against my AWS environment?
Run the full benchmark at least weekly, with critical controls (encryption, logging, public access) checked daily or via continuous monitoring. The Security Rule requires ongoing risk management per 45 CFR 164.308(a)(1)(ii)(B), not point-in-time snapshots. Integrate the powerpipe benchmark into your CI/CD pipeline to catch misconfigurations before they reach production, and retain scan results for at least six years per the HIPAA documentation retention requirement.