Is AWS HIPAA Compliant? Yes, but...

| Author , tagged in aws, hipaa
Cloudticity, L.L.C.

Healthcare providers, payers, and technology partners are moving to the cloud in greater numbers than ever before. Cloud migration gives organizations within the healthcare industry better reliability, scalability, and security in ways that were never before possible.

While it is clear that a move to the cloud is one that most organizations should make, technical safeguards need to be put in place to ensure compliance with HIPAA rules.

Simply choosing a cloud provider with a great reputation for security and reliability isn’t enough. There are several other tasks that must be undertaken before ensuring full HIPAA compliance.

With several good choices in major cloud services vendors, the first challenge companies often face is deciding which option is best for them.

Many healthcare organizations are choosing Amazon Web Services (AWS) as their cloud services provider because of its robust feature list and rock-solid reputation.

It’s important to ask: is AWS HIPAA Compliant? The answer is yes, with a caveat. While using AWS Cloud Services certainly can fully meet HIPAA requirements, merely setting up an account and transferring data won’t be compliant.

There are more steps that need to be followed before you can legally transmit protected health information.

In this article, we’ll explain the reasons why HIPPA Compliance on AWS is completely feasible, and tell you how to get there.

The HIPAA Business Associate Agreement

The Health Insurance Portability and Accountability Act, or HIPAA as it is commonly known, was signed into law by President Clinton in 1996. It aimed to provide a way that Americans could take their insurance with them as they changed jobs.

It also dealt extensively with the matter of protecting patient privacy in a standardized way.

The relevant sections of HIPAA regulations deal with “protected health information” (PHI). They apply to medical services providers such as:

  • Doctors
  • Healthcare Clearinghouses
  • Hospitals and clinics
  • Employer-sponsored Health plans
  • Companies that provide health insurance coverage
  • Any other organization that transmits protected health data

All of these various types of service providers are called “covered entities,” meaning that the HIPAA regulations apply to them. What happens when one of these covered entities enters into a relationship with a third party who isn’t ordinarily covered by HIPAA?

This is exactly what happens when they use Amazon Web Services. As a cloud service provider, they aren’t inherently in the business of dealing with personally identifiable health information. However, when they contract with a medical services provider, they provide data storage of PHI.

To solve this problem without requiring AWS to jump through all the regulatory hoops to become a covered entity, they created the “Business Associate Agreement” or BAA. 

The great news is that as a preferred vendor of cloud services to many different healthcare organizations AWS is very familiar with this type of relationship.

They make securing a Business Associate Agreement quite simple. In fact, you can easily manage and sign your BAA within AWS Artifact, their auditing and compliance portal.

Through that portal, you can view, accept the terms and finalize your AWS Business Associate Addendum. By doing so, you have taken the first step on the road to achieving HIPAA compliance on AWS.

Configuration Is Key

If you think that simply signing the AWS BAA makes your company HIPAA compliant, think again. The reality is that the way you build out and configure your AWS services is the key to achieving and maintaining HIPAA compliance.

Setting up a cloud computing service like Amazon Web Services is, obviously, an enormously complex task. It will take multiple team members across all departments to migrate your current storage and computing resources to AWS.

There are thousands of different settings and configurations to be made for everything to work properly. This is where taking advantage of the multiple resources for monitoring overall system functioning is key.

Let’s take a look at some of the most helpful strategies for ensuring HIPAA compliance on AWS.

AWS Compliance Resources

One of the best places to begin the checklist of HIPAA compliance items is through the use of AWS Cloudformation templates. These templates provide a “quick start” to help make sure your cloud architecture is fully HIPAA compliant.

The quick start loads the following configuration into your AWS cloud:

  • Architecture spanning two availability zones
  • Amazon Virtual Private Cloud: 3 VPCs configured according to AWS best practices.
  • The management VPC contains an internet gateway that serves as a centralized egress point for inbound and outbound internet access.
  • The production VPC contains a private subnet for production workloads, and the service delivers flow logs for auditing.
  • The development VPC also contains private subnets for development workloads, as well as flow logs.
  • Logging and auditing are made much easier with Amazon CloudWatch, which monitors metrics and thresholds.
  • Data is protected in transit with AWS site-to-site VPN or AWS Direct Connect.
  • Notifications are easily configured with Amazon Simple Notification Service.
  • Finally, AWS Identity and Access Management provide stringent access control.

While these are a great way to get up and running quickly, there are still more steps to make sure HIPAA compliance is assured.

Technical Controls

It’s ultimately up to healthcare companies to ensure that they have properly configured technical controls that comply with HIPAA regulations. Here are a few examples:

  • Companies that use Amazon Elastic Compute Cloud (EC2) must make sure that any instances they use are on encrypted data volumes.
  • Amazon Simple Storage Service (S3) Buckets that contain private health information must not be publicly accessible.
  • RDS instances need to be backed up.

Build Your System with Logging and Auditing in Mind

A major HIPAA security rule is that you, as a covered entity, must know who has accessed protected health information. As long as you’ve set up AWS access logging, you should have a few issues with maintaining these records.

HIPAA-eligible services are policed by the Office of Civil Rights, which is part of the US Department of Health and Human Services. At any time, they can request logs to see if any inappropriate access has taken place.

Not being able to provide these logs is a serious issue in itself. In addition, a lack of logging means you don’t really don’t know the state of your cloud security. This is why system architecture needs to be built with advanced logging functionality inherent in the design.

CloudWatch

AWS makes this possible with several different tools. The first of these is AWS CloudWatch. This is a sophisticated monitoring system that watches over every single AWS service that is deployed on your system.

It can be configured to send alarms and notifications when certain metrics are reached. What’s even better is that you can configure it to automatically make resource changes in certain circumstances, protecting the integrity of operations.

CloudTrail

AWS CloudTrail is seamlessly integrated with CloudWatch. Every action by a user or service is recorded as an event. Events included in CloudTrail include those in the:

  • AWS Management Console
  • AWS Command Line Interface
  • AWS SDKs
  • AWS APIs

By using CloudTrail, you’ll be able to have a complete, up-to-date picture of all activity. This provides a thorough audit trail in case there are any incidents of data loss or security breaches.

As we’ll discuss later, the major compliance issue comes from tinkering with default AWS settings. CloudWatch and CloudTrail are enabled by default, but all it takes is an error in configuration to render them useless.

However, as long as CloudTrail is enabled, the trails can be delivered to an S3 Bucket for easy and complete viewing in the form of log files. 

Disaster Recovery With AWS

Another major requirement of HIPAA is the ability to quickly and completely recover from a major data loss. These losses can come in many forms. Ransomware attacks, for one, are becoming increasingly common. The healthcare industry is a frequent target of these attacks. 

Using recommended AWS settings is especially important to preserve and protect data. An Amazon resource you can’t afford to be without is AWS Elastic Disaster recovery. There’s an extra charge for this service, but it’s well worth it when your HIPAA compliance is on the line.

AWS Elastic Disaster Recovery allows for easy setup, testing, and instant launch when a failure is detected. Healthcare companies like hospitals are one of the primary use cases for this service.

Compliance Pitfalls with AWS

Every cloud service is slightly different in its structure and specific features. Amazon utilizes its S3 Buckets (Simple Storage Service) as part of its architecture. While this is a great and flexible solution, configuring it incorrectly can lead to major regulatory compliance issues.

In 2021, a COVID-19 testing service stored protected health information of patients in publically accessible S3 buckets which were not even protected with a password. The databases contained scans of insurance cards, drivers licenses, passports and other health related data.

Incorrectly configured Amazon S3 Buckets are one of the most common issues that could cause a company to run afoul of HIPAA compliance. While AWS updated default configurations to include encryption, inadvertent changes to bucket configurations could change this, leaving your company open to serious regulatory issues.

Vigilance in access control is of paramount importance. Continually review who has access to health information and always give the minimum necessary privileges.

What are the Benefits of Using AWS for Healthcare Companies?

There are so many reasons that many health plans, providers, and other HIPAA-covered entities are migrating to the AWS platform. While ensuring compliance in AWS means changing the way companies operate in terms of tools, skills, and processes, most companies are discovering that the benefits are well worth it. Here are just a few of the reasons why.

Efficient Archiving:

Managing patient records is a huge challenge. Each patient encounter generates records, which accumulate throughout their lifetime. These records are subject to multiple levels or regulations determining how long they must be kept. 

AWS Cloud Solutions are the perfect place to archive these digital records. They can be securely backed up and kept as long as necessary without a major dedication of physical space.

Leveraging the Power of the Latest Technological Developments

Machine learning and AI are two of the most powerful technologies to emerge in the last decade. The implications for the healthcare industry are huge.

With AI, for instance, the medical imaging of a patient can be compared to millions of other scans in seconds to provide a more accurate diagnosis. Working together with physicians, patients can expect better outcomes through the use of these new technologies.

Of course, the latest in tech comes with a massive cost. That cost is usually far beyond what even large healthcare organizations can afford. For the largest cloud vendors, however, that type of investment is more feasible.

As a subscriber, you can take advantage of machine learning and AI without the continual investment in computing horsepower.

Scalability

Resource needs for healthcare companies and insurance providers may ebb and flow throughout the year. The problem with self-hosted solutions is that it’s very difficult to scale resources up and down. This leads to wasteful unused resources at some times, and a strain to manage workloads at other times.

With AWS, this isn’t a problem. Data storage can be dialed up or down depending on demand. This is particularly useful when a health crisis like an outbreak occurs.

Final Thoughts: is AWS HIPAA Compliant? It Depends on You!

The one thing to keep in mind as you build out your AWS cloud environment is that it is capable of being HIPAA compliant. Amazon Web Services provides a host of great tools and support to make this a reality.

However, merely signing a contract to use Amazon or any other cloud service provider does not, in itself, make it HIPAA compliant. It’s all in how the services are configured. So the ultimate answer to whether or not AWS is HIPAA compliant or not depends on you, the user.

Get HIPAA Compliant in AWS Today

Ensuring HIPAA compliance in AWS requires configuring your AWS services correctly. Want to learn more about how to get HIPAA compliant in AWS? Download Achieve and Maintain HIPAA Compliance in AWS to learn more today. Or schedule a free consultation to learn how we can help with our managed AWS services

New call-to-action

TAGGED: aws hipaa

Subscribe Today

Get notified with product release updates and industry news.