AWS Security Blog

Frequently Asked Questions About HIPAA Compliance in the AWS Cloud

HIPAA logo

Today, we continue a series of AWS cloud compliance FAQs by focusing on the Health Insurance Portability and Accountability Act (HIPAA) and protected health information (PHI). AWS’s Healthcare and Life Science customers are doing important things for their customers in the AWS cloud, and we are excited to work with our partners to help tackle medical advancements at scale.

In this blog post, I will share some of the broader questions we hear from customers about HIPAA compliance and PHI in the cloud.

First off, what is HIPAA?

HIPAA was passed in 1996 and is designed to make it easier for workers to secure health insurance coverage when they change or lose employment. The legislation also has driven the adoption of electronic health records, through information sharing, to improve the efficiency and quality of the American healthcare system.

Along with increasing the use of electronic medical records, the law includes provisions (included in what are known as Administrative Simplification Rules) to protect the security and privacy of PHI. PHI includes health-related data, from insurance and billing information, to lab results and diagnosis and clinical care data. These HIPAA Rules apply to covered entities—such as hospitals, medical services providers, employer-sponsored health plans, research facilities, and insurance companies—that deal directly with patients and patient data. The law and the regulations that implement the law also are extended to business associates of covered entities. AWS customers looking to create, receive, maintain, or transmit PHI should sign an AWS Business Associate Agreement (BAA).

And what is HITECH?

In 2009, HIPAA was expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is Title XIII of the American Recovery and Reinvestment Act. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. These standards affect the use and disclosure of PHI by covered entities and their business associates. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

If you would like to read more about HIPAA and HITECH, see HIPAA Compliance on the AWS Compliance website. You can also go to Health Information Privacy on the U.S. Department of Health and Human Services website.

You mentioned the AWS Business Associate Agreement previously. What is it?

HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard PHI. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. AWS refers to these contracts as the Business Associate Agreement.

A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

After I sign an AWS BAA, am I then HIPAA compliant in the cloud?

Because it is a set of federal regulations, a certification is not available for HIPAA. However, you can maintain compliance with these HIPAA regulations through your own due diligence while using cloud tools. This approach is called the Shared Responsibility Model. In summary, you retain control of what security you choose to implement to protect your content, platform, applications, system, and networks—no differently than if you were hosting data in your own data center.

AWS Shared Responsibility Model

What happens if I fail to comply with HIPAA regulations?

Besides possibly losing the trust of your customers and exposing your organization to legal action, there are criminal and civil penalties that could include, to quote the American Medical Association, “fines of $250,000, and imprisonment for up to ten years.”

I am interested in signing a BAA and meeting my HIPAA obligations while using the cloud. Can you give me some examples of current AWS customers that are complying with HIPAA regulations in the cloud?

The following AWS customers are just some of the customers that comply with HIPAA in the cloud, all while doing innovative work on behalf of patients:

  • Arterys built its imaging solution on AWS to take advantage of graphic-optimized G2 Amazon EC2 instances. Arterys can now render MRI scans in 10 minutes (the industry standard is 90 minutes) while still making sure its platform meets HIPAA compliance requirements.
  • Change Healthcare uses AWS services such as EC2, Amazon Simple Storage Service (S3), Amazon Simple Queue Service (SQS), and Amazon Simple Notification Service (SNS) to handle millions of confidential transactions daily from its clients—all while maintaining full compliance with healthcare industry regulations, including HIPAA.
  • Kit Check helps hospital pharmacies improve operational efficiency, patient safety, and medication visibility by providing automated drug-tracking solutions. They started with EC2 and Amazon Relational Database Service (Amazon RDS) to launch the Kit Check product, and slowly added additional AWS services as their customer base grew to more than 200 hospitals. Kit Check is also using Amazon RDS to manage information about more than 6 million tagged drugs.
  • Orion Health works with AWS Partner Network (APN) Consulting Partner, Logicworks, and uses AWS services to build Cal INDEX, one of the largest health information exchanges in the U.S.
  • Oscar Insurance built its new HIPAA-compliant health insurance platform and analytics solution on AWS in just three months.

What are AWS’s HIPAA Eligible Services?

After you have contacted us and have a signed AWS Business Associate Agreement in place, the services that are shown on HIPAA Eligible Services Reference fall into scope for PHI, as defined by HIPAA.

In the next HIPAA FAQ, I will take a deeper look at some of the specific service and technology questions AWS customers have about maintaining compliance in the AWS Cloud. If you have questions about AWS compliance and HIPAA, contact us.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.