- Newest
- Most votes
- Most comments
Hello Navi,
Based on AWS Documentation Bedrock is compliant with HIPAA BAA. The models included in there are just implementations in Bedrock.
Please remember, while the service is compliant with HIPAA, it still your responsibility to ensure that the data is secured, encrypted and handled appropriately.
Regards, Mukul Dharwadkar
Hi,
To get the list of AWS services that are HIPAA-compliant, goto to https://aws.amazon.com/compliance/hipaa-eligible-services-reference/
In general, if you need to check compliance with a given standard / regulation, goto to https://aws.amazon.com/compliance/programs/, get down to your program and then drill into it to get the list of compliant AWS services
Best,
Didier
If other teams are interested, Hathr.AI (https://hathr.ai) went and built a HIPAA Compliant AI access powered by Claude AI with RAG functionality. It can be reached via API, just reach out to them at their website's contact page
Relevant content
- asked 2 years ago
- asked 8 months ago
- asked 25 days ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
Thank you for your reply. 'Is there any documentation that specifically mentions input types and model names and their compliance? I want to make sure that sending images containing PHI are covered by HIPAA BAA in bedrock. We will make sure our other stacks are compliant as well.
Unfortunately the compliance is not shared at a model level AFAIK. The working assumption is that if the service will not be compliant, unless all the models included are compliant.
Hope this helps.
To add to Mukuls answer, Bedrock is covered under the AWS BAA. When a sub product is not included in the BAA, you would see an exclusion notice (E.g., AWS Directory Service is listed but excludes sub product Simple AD. Bedrock has no exclusions). Bedrock architecture isolates the model from the vendor within an AWS service team controlled environment. There is no egress to, access and/or processing by third party vendors. For example, if you use Claude on Bedrock, Anthropic cannot see inputs and outputs, and cannot see or access customer data. As long as the customer is abiding to the AWS BAA, and configurations are inline with AWS guidance, the AWS BAA should cover Anthropics models within Bedrock. AWS BAA would not cover Anthropic if you are using their public API (I.e., Claude Developer Platform). This is due to egress from an AWS customer controlled or service team environment (which the AWS BAA covers) to an uncontrolled environment (owned/managed by Anthropic). Therefore, if you are using the Anthropic managed Claude Developer Platform, you will most likely need a BAA with Anthropic. Ultimately, customers legal team will need to review and confirm an answer inline with the customers usecase.