While Amazon offers a business associate agreement ("BAA"), our legal review found it to be unacceptable -- the BAA we were privately provided last year significantly deviates from the standard language recommended by the U.S. Department of Health and Human Services [1].
Notably, Rackspace's BAA is public [2] (I'm not associated with Rackspace) and reasonably supports the standard language (I am not a lawyer).
In particular, Amazon's agreement included: A clause that puts all of the burden for securing data on the CE. No terms outlining how the BA would respond to breaches of unsecured PHI. Lack of specification about the BA’s level of access to PHI. A non-disclosure clause.
Notably, Rackspace's BAA is public [2] (I'm not associated with Rackspace) and reasonably supports the standard language (I am not a lawyer).
[1] http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden... [2] http://www.rackspace.com/en-us/information/legal/hipaabaa