HIPAA compliance is a key concern for healthcare, insurance and pharmaceutical providers when they move to the...
cloud. AWS helps these companies ensure compliance with HIPAA-eligible services that provide the underlying framework required to address HIPAA requirements. But true HIPAA compliance requires the thoughtful direction of legal and IT teams to customize these services.
The Health Insurance Portability and Accountability Act refers to a broad set of laws, and for enterprises to which those laws apply, it is their responsibility to comply.
To support customers' HIPAA compliance efforts, AWS provides certain services that have undergone a security review and are approved for use with HIPAA workloads. Before you use these HIPAA-eligible services, here are a few things to note.
Compliance is an outcome, not a feature
Compliance with any standard, including HIPAA, depends on several factors, many of which are outside of AWS' control. For example, a HIPAA-compliant enterprise must implement a series of safeguards to adequately protect the integrity and availability of protected health information (PHI). Every enterprise is different, so legal and IT teams must decide which safeguards make sense for each particular case.
Enterprises can use HIPAA-eligible services to build applications on AWS that store, process and transmit PHI. These apps differ depending on the enterprise's unique business and HIPAA compliance goals. But an enterprise's overall HIPAA compliance depends on more than just how it uses AWS. This means that there's no guarantee that these apps will be HIPAA-compliant just because they use HIPAA-eligible services.
AWS security and compliance experts should conduct stringent security reviews and approval processes to vet HIPAA-eligible services. This process ensures that these services enable enterprises to comply with AWS Business Associate Addendum (BAA) obligations. For example, the enterprise needs to encrypt PHI in transit and at rest, only designate HIPAA accounts for PHI and enable audit logging tools to track all uses and disclosures of PHI. These processes align with the security and review approval processes mandated by the Federal Risk and Authorization Management Program and the National Institute of Standards and Technology 800-66 standard, which maps to the HIPAA Security Rule.
Enterprises must also do the legwork to configure and use those services in a HIPAA-complaint manner. AWS' white paper, "Architecting for HIPAA Security and Compliance on Amazon Web Services," describes the recommended best practices that enterprises should follow for each HIPAA-eligible service. Enterprises also need to sign an AWS BAA before they use HIPAA-eligible services to process or store PHI.
Specific uses for HIPAA-eligible services
Healthcare and life sciences enterprises can use these cloud services to perform a variety of functions, such as processing data to manage confidential patient transactions, tracking inventories and supporting medical and life sciences websites and applications.
For example, Orion Health uses AWS to manage millions of patient records in a HIPAA-compliant environment. This helped the country build one of the largest health information exchanges in the U.S. Philips uses AWS to build a database that handles and processes millions of documents of patient data -- medical records, imaging studies and more -- that grows at a rate of one petabyte per month. And Flatiron Health uses AWS to connect researchers and doctors from more than 250 cancer centers and academic institutions, which enables them to share and analyze patient data in their HIPAA-compliant environments.