AWS makes Nova Act HIPAA eligible as agents move into regulated workflows

Amazon has moved Nova Act closer to real production use in regulated organizations. In a new AWS post, the company says Nova Act is now HIPAA eligible. That means U.S. healthcare and life sciences organizations with a signed AWS Business Associate Addendum can use the service in workflows that may involve electronic protected health information.

That may sound narrow. It is not. The important point is that agents are no longer only chat windows next to the business. Nova Act is built to perform browser work: navigating websites, filling forms, extracting information, calling APIs and completing multi-step workflows. AWS points to appointment scheduling, insurance verification, prior authorization, claim-status checks, appeals, reimbursement tracking, referrals and compliance reporting as possible healthcare use cases.

For European and Norwegian leaders, the point is not that HIPAA becomes their law. It does not. The point is that hyperscalers are now packaging agentic systems for industries where mistakes, data leakage and weak auditability have direct consequences. That is exactly where healthcare providers, insurers, banks and the public sector will meet agents first.

From chatbot to operator

Nova Act is different from a standard generative AI service because it can act in user interfaces. It can open portals, complete fields, read status and move to the next step. AWS says the service can escalate to a human supervisor when appropriate, and that it integrates with external tools through API calls, Model Context Protocol and agent frameworks such as Strands Agents.

This is where governance becomes operational. An agent that only drafts a suggestion is a knowledge tool. An agent that submits a form, changes a claim, requests reimbursement or retrieves patient information is an operational actor. It must be treated as an identity with access, not as a clever prompt.

AWS also makes the responsibility split clear. The company says it manages the security of the underlying infrastructure, while customers remain responsible for configuring controls to meet their own compliance obligations. In other words, a HIPAA-eligible service does not make the workflow compliant by itself. It gives customers a possible framework. The rest sits with the customer.

That is the lesson for CIOs and CISOs. Once agents enter regulated processes, the organization must know which account the agent uses, which systems it reaches, what data it can read, what it can write, when it must stop, and how every step is logged.

The control regime becomes practical

AWS points to several building blocks: the Business Associate Addendum, service-specific security configuration, IAM policies, KMS encryption, CloudTrail logging and architecture review with the AWS Well-Architected Tool. Translated into management decisions, that means five things.

First, agent access must be separated from human access. A browser agent should not inherit an employee's broad permissions without its own policy, its own logging and clear boundaries.

Second, workflows need explicit stop points. An agent can retrieve status and prepare a submission, but some actions should require human approval. That is especially true when the outcome affects a patient, customer, money or legal responsibility.

Third, logs must be audit-ready. It is not enough to know that «the AI did it». The organization must be able to see input, system, action, timestamp, decision rule, supervisor involvement and final result.

Fourth, the organization must own failure handling. What happens when a portal changes layout, when data is missing, when the agent misreads a field, or when an action is technically successful but professionally wrong?

Fifth, vendor governance must be updated. The agent becomes part of the operating chain. Contracts, risk assessments and exit plans must therefore cover more than model quality. They must cover access, data processing, logging, region, subcontractors and liability when something fails.

Why this matters now

Healthcare is a useful test case because processes are heavy, documentation requirements are high and manual friction is expensive. But the pattern is broader. The same move will come in insurance, finance, procurement, HR, case handling and customer operations.

Agents will first take the dull work nobody wants to own: portals, forms, reconciliation, status checks, reporting and follow-up. That is exactly why they are strategically important. These tasks often sit between systems, departments and vendors. That is where control tends to break if the technology is introduced as a pilot without an operating model.

AWS' announcement is therefore more than a product update. It shows the agent market moving from demo to regulated operations. For leaders, the question is no longer whether agents can do work. The question is who is allowed to let them do work on behalf of the organization.

That should be decided before the first agent gets production access. Afterwards, the clean-up gets expensive.

Sources and media

Primary source: AWS, «Amazon Nova Act is now HIPAA eligible», published May 21, 2026: https://aws.amazon.com/blogs/machine-learning/amazon-nova-act-is-now-hipaa-eligible/

Source credit: AWS / Amazon Web Services.

Thumbnail: OpenAI Image 2 / hogby.ai.