HIPAA

Strengthen the AWS access controls protecting electronic health information.

Securitain assesses the AWS IAM controls around ePHI and turns them into evidence you can hand to your security and compliance teams — read-only, agentless, and explainable.

Start a read-only assessmentSee the Compliance Center

Technical evidence support, not certification. Securitain does not make any organization “HIPAA compliant” or certified. It assesses AWS access controls and maps findings to HIPAA control areas to support your compliance program; formal attestation is performed by independent auditors.

Why it matters

The problem teams bring to HIPAA

Teams handling electronic protected health information have to show that access to that data is tightly controlled. In AWS, that comes down to who can reach the systems holding ePHI, whether their access is least-privilege, and whether credentials and external trust are properly guarded. Securitain makes those AWS access controls visible and produces the technical evidence that supports your HIPAA Security Rule work.

What Securitain evaluates today

AWS access controls, assessed read-only

Console access without MFA
Admin users and roles with broad privilege
Access-key age, usage, and privilege level
Least-privilege and sensitive-permission gaps
External trust relationships and third-party conditions
Identity Center admin permission sets
Supported S3/KMS exposure and KMS decrypt paths
Finding evidence, remediation guidance, and reports
Example findings

From observation to evidence

Admin user without MFAIAM user ARN, MFA status, attached admin policy, scan timestamp
Role assumable by an external accountTrust policy statement, external principal, ExternalId presence
Broad kms:Decrypt across keysIdentity ARN, effective permission set, affected KMS key policies
Aging, over-privileged access keyKey ID, age, last-used date, privilege summary
In the Compliance Center

How HIPAA results appear

Each finding maps to the relevant HIPAA control areas, with a justification drawer showing the check used, expected vs observed configuration, the affected account and ARN, an evidence timestamp, and remediation guidance. Securitain describes control areas rather than asserting authoritative control IDs.

Explore the Compliance Center
1Finding generated with evidence
2Mapped to HIPAA control areas
3Justification drawer with observed config
4Remediation guidance attached
5Included in the assessment report
Shared responsibility

What stays manual and organizational

Securitain supports

  • Evidence that AWS access to ePHI systems is least-privilege
  • MFA and credential-hygiene findings with remediation guidance
  • External-trust and resource-exposure findings on supported services
  • Mapping of IAM findings to HIPAA access-control areas

Your program completes

  • Risk analysis and risk management process
  • Workforce training and sanction policies
  • Business Associate Agreements and vendor management
  • Physical safeguards and contingency planning
  • Independent assessment and management attestation
Next phase

Planned — not current coverage

Dedicated data-asset posture for ePHI stores (S3/RDS/DynamoDB)
Sensitive-data discovery and PHI classification
Encryption-coverage and backup-compliance monitoring
HIPAA FAQ

Common questions

Does Securitain make us HIPAA compliant?

No. HIPAA compliance is an organizational program, not a product output. Securitain provides technical assessment and evidence for the AWS access controls that support your HIPAA Security Rule work — it does not certify compliance.

Which safeguards does it help with?

Primarily the technical access controls in AWS IAM: unique identification, MFA, least privilege, external trust, and supported resource exposure. Administrative and physical safeguards remain your program’s responsibility.

Can we use the output for an audit?

You can use the assessment report and per-scan evidence as supporting technical evidence. Formal attestation is performed by independent auditors.

Strengthen your HIPAA access controls

Connect a read-only role and see how your AWS IAM findings support your HIPAA evidence — with mapping, justification, and remediation guidance on every scan.

Book a product walkthroughExplore IAM Security