Amazon Nova Act gains HIPAA eligibility for healthcare workflows

According to an AWS blog post, Amazon Nova Act now qualifies as a HIPAA eligible service, allowing customers to deploy autonomous, browser-based AI agents in workflows that may touch electronically protected health information (ePHI) (AWS blog: "Amazon Nova Act is now HIPAA eligible"). The AWS post describes Nova Act as an AWS service to build and manage fleets of AI agents that can navigate websites, fill forms, extract information, execute multi-step UI workflows, integrate with external tools via API calls, and escalate to a human supervisor when appropriate (AWS blog).

Per the AWS technical guidance on HIPAA and generative AI, the company places HIPAA-eligible services into a shared responsibility model: AWS manages the security of the underlying infrastructure while customers remain responsible for configuring controls to meet HIPAA obligations in their deployments (AWS blog: "HIPAA compliance for generative AI solutions on AWS"). The Nova Act announcement specifically lists healthcare tasks enabled by HIPAA eligibility, including appointment scheduling, insurance verification, prior authorization, claim status checks, appeals, reimbursement tracking, and referral coordination across provider and payer portals (AWS blog).

Agentic AI systems that interact with live systems, control browsers, and exchange data with external services introduce operational risk vectors beyond text-only models, including credential handling, session management, and unintended data exfiltration. Companies building analogous automation pipelines generally invest in hardened secrets management, strict network controls, and extensive end-to-end logging to provide audit trails for regulated data flows. For practitioners working with ePHI, those standard controls are typically necessary to map an agentic deployment into HIPAA-compliant operations.

AWS enabling HIPAA eligibility for an agentic automation product lowers a compliance barrier for HCLS teams that consider browser-level task automation, because it clarifies which parts of the stack AWS treats as HIPAA eligible and which parts remain customer responsibilities. This matters for vendors and integrators who automate interactions across payer and provider portals, since those workflows frequently surface PHI and require documented safeguards.

For practitioners: monitor the specific contract and configuration artifacts AWS provides for Nova Act HIPAA eligibility, including contractual terms, supported networking options (private endpoints, VPC controls), audit logging, and integration patterns for secrets and identity. Also watch for third-party security assessments, SOC reports, and any service card updates that change the stated scope of HIPAA eligibility or recommended controls (AWS AI Service Cards documentation references and the Nova Sonic service card).