Most health tech startups I audit have their PHI workloads sitting in a default-ish VPC with public subnets, an internet gateway, a NAT gateway for egress, and a comforting set of security groups doing the heavy lifting. The team's mental model is "the security group is the firewall, so we're fine." Then the HIPAA risk assessment comes back asking why PHI traffic ever touches the public internet, and the answer is uncomfortable.
Here's the network architecture pattern that holds up under HIPAA review and makes SOC 2 CC6.6 (logical access — boundary protection) trivial to evidence.
Private subnets for everything that touches PHI. Application tier, database tier, cache tier, queue tier — none of them get a public IP, and none of them sit in a subnet with a route to an internet gateway. The only public-subnet resources are the load balancer and a bastion or SSM endpoint. Auditors want to see a VPC flow log analysis showing zero inbound traffic from 0.0.0.0/0 to PHI-handling resources. If you can't produce that, your boundary protection control is theoretical.
VPC endpoints, not NAT gateways, for AWS service traffic. This is the part most teams skip on cost grounds and regret on audit grounds. When your application calls S3, DynamoDB, KMS, Secrets Manager, or any other AWS service, that traffic should leave through a VPC endpoint, not a NAT gateway to the public AWS endpoint. Gateway endpoints for S3 and DynamoDB are free. Interface endpoints for the rest are about $7 per endpoint per month per AZ — trivial compared to NAT gateway data processing charges, and far stronger from a compliance posture. The control narrative reads: PHI never traverses the public internet to reach AWS services because all AWS API traffic is routed through private VPC endpoints. Auditors love that sentence.
PrivateLink for third-party SaaS that handles PHI. If you're sending PHI to a third-party processor — a Twilio, a Datadog, an analytics vendor with a BAA — and that vendor offers PrivateLink, use it. PrivateLink keeps the traffic on the AWS backbone instead of routing through the public internet. The evidence package is the PrivateLink endpoint configuration, the vendor's BAA, and a network diagram showing PHI flow paths never leaving the AWS network. This is a CC6.6 and HIPAA §164.312(e)(1) two-for-one.
Egress filtering that's actually enforced. Most teams have a NAT gateway with no egress rules and call it secure because it's "outbound only." Auditors increasingly push back on this: outbound from a compromised PHI workload to an attacker-controlled domain is exactly the data exfiltration scenario the control is supposed to prevent. The accepted pattern is a Network Firewall or a third-party egress proxy with an allowlist of permitted FQDNs, and CloudWatch logs showing blocked egress attempts during the audit period. If your egress logs are empty, either your filter isn't working or you have nothing to show.
Flow logs at the VPC level, retained and queryable. Enable VPC flow logs for the entire PHI VPC, ship them to S3 with object lock and a retention policy aligned to your HIPAA documentation requirement (typically six years), and have a documented Athena query the security team runs on a defined cadence to look for anomalies. The evidence is the flow log configuration, the retention policy, the sample query results, and the on-call ticket history showing investigations were performed.
The pattern across all of these: a HIPAA-grade network architecture is one where you can draw the PHI data flow diagram and every arrow stays inside the AWS private network or terminates at an authenticated, BAA-covered endpoint. If any arrow crosses through 0.0.0.0/0, you have a control narrative problem before you have a technical one. The architecture choices you make at the VPC layer determine whether your CC6.6, CC6.7, and HIPAA §164.312 evidence packages take an hour to assemble or three weeks.
If your VPC was set up before HIPAA was a serious concern and you've been bolting controls on top of it, the 2-week Transivone audit includes a network architecture review with a remediation roadmap — what to keep, what to re-architect, and what auditors will flag in the order they'll flag it.
— Manan