compliance.tf
Compliance FrameworksCore Frameworks

HIPAA Omnibus Rule 2013

Best for: Any covered entity or business associate that creates, receives, maintains, or transmits electronic protected health information (ePHI). This includes hospitals, health plans, healthcare clearinghouses, and their subcontractors. If you run infrastructure on AWS for a healthcare client, you are likely a business associate and must comply. There is no revenue or size threshold.

Mandatory?Mandatory for covered entities and business associates
Who validates?No formal certification; HHS/OCR enforcement
RenewalNo fixed cycle; periodic risk assessments required
ScopeProtected health information (PHI) across covered entities and BAs

๐Ÿ› U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) ยท HIPAA Omnibus Rule 2013 Official source โ†’

Get Started

module "..." {
  source  = "hipaa.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Audit Logging and Monitoring: Runs 9 controls validating CloudTrail configuration across regions, S3 object-level event logging for both read and write operations, API Gateway stage logging, X-Ray tracing, and CloudFront access logs. These map directly to Section 164.312(b) audit control requirements.
  • Encryption in Transit: Checks SSL certificate assignment on API Gateway stages, CloudFront HTTPS enforcement, and ACM certificate expiration within 30 days. Covers Section 164.312(e)(1) transmission security requirements for AWS-managed endpoints.
  • Encryption at Rest: Validates encryption on API Gateway stage caches and AWS Backup recovery points. The full 50-control benchmark includes additional checks for S3, EBS, and RDS encryption not shown in the sample set.
  • Backup and Contingency Planning: Enforces minimum 35-day retention on backup plans and recovery points, verifies encryption on recovery points, and confirms manual deletion is disabled. Maps to Section 164.308(a)(7) contingency plan requirements.
  • Network Access Control: Confirms Auto Scaling launch configurations do not assign public IPs and that load-balanced Auto Scaling groups use health checks. Validates basic network isolation controls under Section 164.312(a)(1).

What you handle

  • Audit Logging and Monitoring: Defining log retention periods, reviewing audit logs on a regular schedule, configuring alerts for suspicious access to ePHI, and documenting your log review procedures. You also need to ensure logs are protected from tampering per Section 164.312(c)(2).
  • Encryption in Transit: Enforcing TLS minimum version policies (TLS 1.2 or higher), managing certificate rotation for non-ACM certificates, and encrypting ePHI transmissions that occur outside AWS (for example, SFTP to partners or email encryption).
  • Encryption at Rest: KMS key access policies, key rotation schedules, documenting which encryption method applies to each data store, and managing encryption for on-premises or hybrid systems outside AWS.
  • Backup and Contingency Planning: Testing restore procedures periodically, documenting your disaster recovery plan, maintaining an emergency mode operations plan, and confirming that your retention periods satisfy the 6-year HIPAA documentation requirement where applicable.
  • Network Access Control: Implementing VPC segmentation for ePHI workloads, configuring security groups and NACLs, managing VPN or Direct Connect for administrative access, and documenting your network architecture in a data flow diagram.

Controls by Category

Audit Controls (Section 164.312(b)) (4 controls)

Section 164.312(b) requires hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. Assessors will want CloudTrail enabled across all regions with object-level logging on S3 buckets that store ePHI. The most common gap: CloudTrail active at the account level but data-plane events missing for S3 read and write operations, which leaves material holes in the access audit trail.

API Gateway stages should have logging enabledAPI Gateway REST API stages should have AWS X-Ray tracing enabledCloudFront distributions access logs should be enabledcompliance.tf moduleCloudTrail trails should have at least one enabled trail present in a region

Contingency Plan (Section 164.308(a)(7)) (1 control)

Do backup plans exist, are recovery points retained long enough, and can they be deleted before their retention period expires? Those three questions drive most 164.308(a)(7) findings. Retention policies must align to HIPAA's 6-year documentation requirement under 45 CFR 164.530(j), and manually deletable recovery points come up repeatedly in organizations that haven't thought through insider threat or ransomware scenarios.

Backup plans should have minimum frequency and minimum retention configured

Encryption at Rest (Section 164.312(a)(2)(iv)) (1 control)

The first thing an assessor examines is whether encryption is enabled by default, not applied retroactively after a finding. ePHI in caches, backups, databases, and object stores all need AES-256 or equivalent, and KMS key policies get scrutinized. Unencrypted backup recovery points are a persistent gap: organizations encrypt primary storage and miss the backup vault entirely.

API Gateway stages should have cache encryption at rest enabled

Transmission Security (Section 164.312(e)(1)) (2 controls)

Every endpoint transmitting ePHI needs TLS enforcement, and assessors will check certificate validity, expiration dates, and whether plaintext HTTP is blocked or redirected. Expired ACM certificates are a frequent finding because automated renewal sometimes fails for imported or DNS-validated certificates that have lost their validation records.

API Gateway stages should not use client SSL certificatesCloudFront distributions should require encryption in transitcompliance.tf module
Additional Controls (96)

AWS CloudTrail (3)

CloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled

AWS CodeBuild (1)

CodeBuild projects should have logging enabled

AWS Database Migration Service (1)

DMS replication instances should not be publicly accessiblecompliance.tf module

AWS IAM (8)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (4)

Lambda functions should have concurrent execution limit configuredcompliance.tf moduleLambda functions should be configured with a dead-letter queuecompliance.tf moduleLambda functions should be in a VPCcompliance.tf moduleLambda functions should restrict public URLcompliance.tf module

AWS Secrets Manager (1)

Secrets Manager secrets should be encrypted using CMKcompliance.tf module

AWS WAF (1)

WAFv2 rules should have CloudWatch metrics enabled

Amazon CloudWatch (2)

CloudWatch alarms should have an action configuredcompliance.tf moduleCloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (3)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon DynamoDB Accelerator (1)

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Amazon EBS (2)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (6)

EC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EKS (1)

EKS clusters should be configured to have kubernetes secrets encrypted using KMScompliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon OpenSearch Service (4)

OpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (14)

RDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (8)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have enhanced VPC routing enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (13)

S3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (7)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf module

Other (4)

ES domain encryption at rest should be enabledES domains should be in a VPCElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabled

Related Frameworks

HIPAA Security Rule 2003 โ€” ๐ŸŸข High overlap (85%)

The 2013 Omnibus Rule builds directly on the original HIPAA Security Rule (45 CFR Part 164, Subparts A and C). Most technical safeguard controls are identical. The Omnibus Rule adds breach notification requirements, extends obligations to business associates, and changes the breach risk assessment standard from 'significant risk of harm' to the broader 'low probability of compromise' test.

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (55%)

HHS published a crosswalk mapping HIPAA Security Rule standards to NIST 800-53 controls. Organizations already compliant with NIST 800-53 families AU (Audit), AC (Access Control), SC (System and Communications Protection), and CP (Contingency Planning) will satisfy many HIPAA technical safeguards. NIST is broader in scope and includes controls for areas HIPAA does not explicitly address, such as supply chain risk management.

NIST CSF v1.0 โ€” ๐ŸŸก Medium overlap (45%)

OCR has published guidance mapping the NIST Cybersecurity Framework to HIPAA. The CSF Protect and Detect functions align well with HIPAA technical safeguards, but CSF is voluntary and higher-level. Using CSF as your risk management structure can simplify HIPAA compliance reporting.

Frequently Asked Questions

Does HIPAA apply to my organization if we only host infrastructure for a healthcare client but never view the data?
Yes. The 2013 Omnibus Rule extended HIPAA obligations directly to business associates, defined as any entity that creates, receives, maintains, or transmits ePHI on behalf of a covered entity. Hosting infrastructure that stores ePHI makes you a business associate even if your staff never access the data. You must sign a Business Associate Agreement (BAA) and comply with the applicable Security Rule provisions. AWS offers a BAA, but configuring your resources to meet HIPAA requirements stays with you.
Is there a HIPAA certification or audit report I can obtain?
No official HIPAA certification exists. Unlike PCI DSS or SOC 2, no accredited body issues a HIPAA compliance certificate. Compliance is typically demonstrated through internal risk assessments, third-party security assessments, and documentation. Some organizations pursue HITRUST CSF certification as a proxy, since HITRUST incorporates HIPAA requirements. OCR audits are investigatory, not certifying.
How does the Omnibus Rule change breach notification requirements compared to the original HITECH Act rules?
The Omnibus Rule replaced the 'significant risk of financial, reputational, or other harm' standard with a presumption that any impermissible use or disclosure of unsecured ePHI is a breach. The burden shifted to the covered entity to demonstrate a 'low probability that PHI has been compromised' using a four-factor risk assessment per 45 CFR 164.402, which makes the notification threshold lower and harder to avoid. Affected individuals must be notified within 60 days of discovery, and breaches involving 500 or more individuals require notification to OCR and local media outlets.
What are the penalties for non-compliance?
The Omnibus Rule adopted a four-tier penalty structure under 45 CFR 160.404. Tier 1 (lack of knowledge): $100 to $50,000 per violation. Tier 2 (reasonable cause): $1,000 to $50,000 per violation. Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation. Tier 4 (willful neglect, not corrected): $50,000 per violation. The annual cap per identical provision is $1.5 million, adjusted for inflation and currently above $2 million. Criminal penalties up to $250,000 and imprisonment apply under 42 USC 1320d-6.
How frequently should I run these automated controls against my AWS environment?
Run the full benchmark at least weekly, with critical controls (encryption, logging, public access) checked daily or via continuous monitoring. The Security Rule requires ongoing risk management per 45 CFR 164.308(a)(1)(ii)(B), not point-in-time snapshots. Integrate the powerpipe benchmark into your CI/CD pipeline to catch misconfigurations before they reach production, and retain scan results for at least six years per the HIPAA documentation retention requirement.

PCI DSS v4.0

Previous Page

ISO/IEC 27001:2022

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAudit Controls (Section 164.312(b)) (4)Contingency Plan (Section 164.308(a)(7)) (1)Encryption at Rest (Section 164.312(a)(2)(iv)) (1)Transmission Security (Section 164.312(e)(1)) (2)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page