HIPAA Security Rule 2003
Deprecated Framework
Best for: Covered entities and business associates that create, receive, maintain, or transmit electronic protected health information (ePHI). This includes hospitals, clinics, health insurers, billing companies, and cloud providers handling ePHI under a BAA. There is no size or revenue threshold. SaaS vendors serving healthcare customers are business associates and must comply directly. HHS OCR enforcement carries civil penalties up to $2.13 million per violation category per year.
| Mandatory? | Mandatory for covered entities and business associates |
| Who validates? | No formal certification; HHS/OCR enforcement |
| Renewal | No fixed cycle; periodic risk assessments required |
| Scope | Electronic protected health information (ePHI) |
🏛 U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) · HIPAA Security Rule 2003 (superseded by Omnibus 2013) Official source →
Get Started
module "..." {
source = "hipaasecurity2003.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Logging and Monitoring: Nine controls covering CloudTrail configuration (multi-region, S3 data events, log validation, CloudWatch integration), API Gateway stage logging, CloudFront access logs, CloudWatch log group retention at 365 days, and CodeBuild project logging.
- Encryption at Rest: Verifies encryption on API Gateway stage caches, CloudTrail log files (KMS CMK), and AWS Backup recovery points. The full benchmark extends coverage to S3, EBS, RDS, and other storage services beyond the sample controls shown here.
- Encryption in Transit: Checks CloudFront TLS enforcement and ACM certificate expiration within 30 days. The full benchmark adds ELB listener configurations and other transit encryption checks.
- Backup and Recovery: Four controls: AWS Backup plan retention minimums (35 days), recovery point retention periods, manual deletion protection on recovery points, and Auto Scaling health check configuration for availability.
- Incident Response Readiness: Checks that the AWS account security contact is registered and that CloudWatch alarms have configured actions, confirming alerts are wired to responsible personnel.
What you handle
- Audit Logging and Monitoring: Defining which logs constitute your ePHI audit trail, establishing review procedures, and training workforce members on log analysis. You also need a documented process for responding when log anomalies are detected.
- Encryption at Rest: Key management policy, rotation schedules, IAM-based key access restrictions, and documented encryption standards. The addressable specification under §164.312(a)(2)(iv) requires you to assess whether encryption is reasonable and appropriate for your environment and record your rationale if you choose an alternative measure.
- Encryption in Transit: Selecting minimum TLS versions, managing certificate lifecycle beyond expiration alerting, and confirming that all network paths carrying ePHI (including internal service-to-service traffic) enforce encryption.
- Backup and Recovery: Developing and testing a full contingency plan per §164.308(a)(7), including disaster recovery and emergency mode operation procedures. This means documented RTO/RPO targets, periodic recovery testing, and a process for activating emergency mode operations.
- Incident Response Readiness: Writing an incident response plan that satisfies §164.308(a)(6), training your workforce on breach notification procedures under the HITECH Act's Breach Notification Rule, and running periodic tabletop exercises. Compliance.tf confirms the alerting infrastructure exists but cannot verify your human response processes.
Controls by Category
Administrative Safeguards: Contingency Plan (§164.308(a)(7)) (1 control)
The paper-versus-practice gap is where organizations fail §164.308(a)(7) most often. A documented backup policy does not satisfy an auditor who can demonstrate that manual deletion of recovery points was never disabled. Assessors want retention enforced at the infrastructure level, not just described in a policy document, and they check health check configurations as evidence that availability commitments are backed by actual controls.
Administrative Safeguards: Security Management Process (§164.308(a)(1)) (1 control)
A missing security contact on an AWS account is a concrete signal that incident response ownership has not been formalized. Alongside designated contacts, assessors check for active alarm configurations, confirming both that the organization can detect security events and that someone is wired to receive the alert. §164.308(a)(1) requires procedures to prevent, detect, contain, and correct security violations, and these two controls are the minimum infrastructure evidence for that requirement.
Technical Safeguards: Audit Controls (§164.312(b)) (7 controls)
The most common finding here is logging enabled on primary services but absent from supporting infrastructure like API gateways and build pipelines. §164.312(b) requires hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. Assessors want to see log integrity controls (CloudTrail validation is the obvious one) and retention periods long enough to support incident investigations.
compliance.tf moduleCloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have log file validation enabledCloudWatch log groups should have retention period of at least 365 dayscompliance.tf moduleCodeBuild projects should have logging enabledTechnical Safeguards: Encryption at Rest (§164.312(a)(2)(iv)) (2 controls)
Backup recovery points and API Gateway caches are where assessors most often find gaps. The core question is whether ePHI at rest is encrypted as an access control mechanism and whether key management is defensible. KMS-managed CMKs carry more weight than default encryption when you're explaining your key management posture.
Technical Safeguards: Transmission Security (§164.312(e)(1)) (1 control)
Expect an assessor to examine TLS configuration, certificate validity, and HTTPS enforcement on every public-facing endpoint carrying ePHI. Expired or soon-to-expire certificates get flagged because they can trigger fallback to unencrypted connections or availability outages. Internal service-to-service paths are a frequent gap that falls outside what these controls check.
Additional Controls (58)
AWS Database Migration Service (1)
AWS Lambda (2)
Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
Amazon DynamoDB Accelerator (1)
Amazon EC2 (3)
Amazon EFS (2)
Amazon EKS (1)
Amazon ElastiCache (1)
Amazon OpenSearch Service (4)
Amazon RDS (6)
compliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleAmazon Redshift (5)
compliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf moduleAmazon S3 (12)
compliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleAmazon SageMaker (4)
Elastic Load Balancing (4)
compliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleRelated Frameworks
NIST 800-53 Rev 5 — 🟢 High overlap (72%)
Mappings between HIPAA Security Rule requirements and NIST 800-53 are typically derived from NIST guidance (for example, NIST SP 800-66), while HHS OCR's published crosswalk is to the NIST CSF. Organizations already compliant with the NIST 800-53 moderate baseline will satisfy most HIPAA technical and administrative safeguard requirements, though HIPAA-specific obligations around ePHI definitions, business associate management, and breach notification are not covered by NIST 800-53 alone.
NIST CSF v1.0 — 🟢 High overlap (60%)
HHS released guidance mapping the HIPAA Security Rule to the NIST Cybersecurity Framework. The CSF's Protect, Detect, and Respond functions share some requirements with HIPAA's technical safeguards. The CSF is a voluntary risk management framework, however, and lacks HIPAA's specific requirements for workforce training, business associate agreements, and ePHI handling procedures.
SOC 2 — 🟡 Medium overlap (55%)
SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality partially overlaps with HIPAA's technical safeguards. Many healthcare SaaS vendors pursue SOC 2 alongside HIPAA compliance. SOC 2 does not address HIPAA-specific requirements like the Privacy Rule, breach notification, or business associate obligations.