GitHub Actions for HIPAA-compliant deployments

OIDC trust scope, self-hosted runner discipline, reusable workflows as the compliance contract.

Most "GitHub Actions for HIPAA" content reads like generic CI security with HIPAA labels pasted on top. This one is platform-specific.

A healthcare SaaS team I worked with earlier this year had six weeks to make their GitHub Actions pipeline audit-ready. They were a clinical workflow platform on AWS, four squads, roughly 90 active workflow files spread across a primary application repo and three sibling repos for infrastructure, data, and integrations. They had passed SOC 2 Type II the prior year. They had just closed their first hospital system contract and the BAA addendum had landed on engineering with a familiar one-line note from legal: "should be fine."

It wasn't fine. Their GitHub Actions pipeline was clean by SOC 2 standards. By HIPAA standards the auditor could ask three questions that the pipeline couldn't answer in seconds. Which named human approved this production deploy? Which signing key produced the artifact running in the prod cluster? What happens if a critical CVE shows up during a deploy? None of those answers were structurally encoded in the workflows. They were tribal knowledge spread across Slack and a shared Notion page.

GitHub Actions for HIPAA-compliant deployments

Other newsrooms on this story

Related reading

Zero-Secret CI/CD: GitHub Actions + OIDC on AWS (Part 6)

Spotting CI/CD misconfigurations before the bots do: Securing GitHub Actions…

CI/CD avec GitHub Actions

GitHub previews Agentic Workflows as part of continuous AI concept

CI/CD security: How to secure your GitHub ecosystem | Datadog

CI/CD with AWS CodePipeline and CodeBuild