The trouble with HIPAA requirements is that they're not clearly defined and are open to a variety of interpretations.

Our experts advise a safe, CYA approach and mandate a BAA agreement is in place with every partner touching sensitive patient data, even if encrypted and protected on multiple levels. Thus far Amazon is not accommodating to such a request.

Other's have their own opinions and, in the end, we all weigh the risks vs rewards (including Amazon itself - I'm sure they've plenty of reasons of operating in their present gray area).

I worked for a major hospital once and they were all about the CYA agreements. The funny thing was the HIPPA is more a state of mind, not a 100 point punch list. So you're really just practicing CYA more than anything else.

I don't believe you need to be a US government organization to use the GovCloud region. I think you just have to be a US corporation or person and pay through the nose. It's only available directly via signing an actual contract, not a la carte like normal AWS services.

As of March 2013 (two years past those publish dates), Amazon has still not agreed to the legal "Business Associate Agreement" provisions of HIPPA that would permit you to use their services to store Protected Health Information. They said they are considering it, but this has been the status for quite some time. Rackspace, on the other hand, has agreed (for a surcharge).