Solving HIPAA Compliance for AWS
Innovative health technologies, changing customer expectations, the shift from volume to value, and other factors are now molding the new healthcare landscape where the usual ways of providing healthcare services — siloed and static — are no longer enough. The need for healthcare transformation is further amplified by new entrants that question the status quo of healthcare incumbents.
To stay competitive in this new health economy, healthcare organizations start embracing digital technologies, and cloud is one of them. From increased computational capabilities to faster time-to-decision to decreased costs, healthcare providers recognize the many advantages of modern cloud-native solutions.
When moving to the cloud, healthcare organizations, however, face a common concern – HIPAA compliance.
What is HIPAA
Adopted in 1996, Health Insurance Portability and Accountability Act, or HIPAA for short, was a crucially important US law aimed to promote a safe and secure environment for patient information. There are two sets of rules: HIPAA Privacy Rule defines and protects an individual’s health data and HIPAA Security Rule prescribes a set of measures and safeguard to ensure confidentiality of any identifiable personal information.
HIPAA rules are mainly applicable to covered entities but since many of them rely on the services of business associates to process and store ePHI, these business associates are also responsible for HIPAA compliance. To clarify:
- Electronic protected health information (ePHI) is personal health information transferred, received, or saved in any electronic format or media. It is more than a patient’s medical records and encompasses basically any information that can be used to identify a person, like a photo or address.
- A covered entity includes healthcare providers, health plans, and healthcare clearinghouses that transfer ePHI for a range of day-to-day transactions like payment and remittance, insurance claims, eligibility checks, healthcare status, and more.
- A business associate is an entity that provides services or performs activities and functions that in any way involve the use and disclosure of ePHI.
- A business associate agreement (BAA) is a legal contract signed between a business associate and a covered entity to specify each party’s responsibilities and obligations in regards to ePHI.
Is AWS HIPAA-compliant?
Amazon Web Services (AWS) is a comprehensive public cloud platform with unmatched capabilities and a continuously growing customer base. The platform’s flexibility and scalability make it a top choice for healthcare organizations who seek cost-effective and robust IT infrastructures for healthcare solutions.
Under HIPAA, cloud services providers are deemed to be business associates and, hence, need to comply with the provisions of the Privacy and Security Rules. Amazon signs a BAA with a health company to enable healthcare providers to deploy sensitive workloads in the cloud while ensuring the privacy of ePHI.
A common misconception, however, is that hosting a solution on AWS means that Amazon bears ultimate responsibility for compliance. The truth is that HIPAA compliance needs to be a team effort. Amazon guarantees the protection of its cloud infrastructure and global data centers, but it is the customer’s responsibility to make sure that the chosen AWS services are used in a safe way. A misconfiguration or a mistake in settings can compromise the confidentiality and integrity of a patient’s data, resulting in non-compliance penalties.
Therefore, to build a cloud-native healthcare solution, you need a comprehensive approach, one that is grounded in cloud best practices.
How to build a HIPAA-compliant solution on AWS
End-to-end ePHI encryption
HIPAA requirements stipulate that personal health information data must be encrypted both in transit and at rest. AWS offers native tools and a range of services to encrypt transmitted, processed, and stored ePHI. One of such tools is AWS Key Management Service (KMS) that makes ePHI encryption easy to manage and audit. AWS Certificate Manager (ACM) is another service that allows you to provision SSL certificates and ensure a secure network connection.
Access and authorization management
HIPAA requires strong access control and centralized identity management so that only authorized users have access to sensitive patient data. Identity and access management (IAM) solutions help healthcare providers easily manage the full lifecycle of users’ identities from configuring role-based access rules to validating users’ entitlement. For an extra layer of security, AWS offers Multi-Factor Authentication (MFA) functionality to ensure data security even if credentials are compromised.
Continuous logging and monitoring
To ensure that all ePHI-related activities are correct, HIPAA technical safeguards also include monitoring and auditing procedures, which help healthcare organizations and practices find discrepancies in logs and reports. To streamline implementation of this safeguard, AWS offers a mix of services. AWS CloudTrail monitors and records all API calls and brings visibility into AWS account activities. AWS Config enables easy audit of configurations of AWS resources and review of changes. Amazon CloudWatch gathers operational data under one roof to provide a unified view of your AWS applications and services.
Disaster recovery plan
All covered entities need to have a backup plan to protect ePHI in case of an emergency. Amazon S3 is a HIPAA-eligible storage service that brings to the table superior scalability as well as security and data availability. Designed to deliver increased durability of 99.999999999% (11 9’s), S3 stores data across multiple facilities and ensures business continuity. The storage also supports robust encryption as well as access management tools to guarantee that compliance requirements are fully met.
HIPAA compliance is a shared responsibility
As digital transformation in healthcare is moving at full speed, many healthcare providers seize the potential of cloud computing to reduce costs while improving accessibility and eliminating data silos. Amazon has made significant strides in aligning AWS services with HIPAA requirements so that healthcare organizations can safely migrate to AWS and see immediate business benefits. But at the end of the day, HIPAA compliance is always a shared responsibility. While Amazon takes all necessary measures to enable HIPAA compliance, it is up to healthcare institutions and practices to use AWS in a secure and compliant way by implementing all necessary safeguards like end-to-end encryption, IAM and MFA, configuration management, logging and auditing controls, among other things.