HIPAA and HITRUST on AWS
By Chris Whalley, APN Compliance Program Leader at AWS
The reasons customers continue choosing the AWS Cloud are many: agility, security, control, and cost are just some we hear from customers large and small. The reasons healthcare organizations are choosing the AWS Cloud are no different and, since launching our Business Associate Addendum in 2013, security and control have been at the top of the list for our healthcare customers when managing their HIPAA and HITRUST compliance requirements.
What is HIPAA?
Passed in 1996, the U.S. Health Insurance Portability and Accountability Act (HIPAA) was designed to make it easier for workers to retain health insurance coverage when they change or lose their jobs while also driving the adoption of electronic health records to improve the efficiency and quality of the American healthcare system through information sharing. Additionally, HIPAA includes provisions to protect the security and privacy of Protected Health Information (PHI) across a wide range of personally identifiable health and health-related data. Learn more about HIPAA on AWS >>
What is HITRUST?
The Health Information Trust Alliance (HITRUST) is a standards development organization that develops and maintains a healthcare compliance framework called the HITRUST Common Security Framework (CSF). In HITRUST’s own words, the CSF is “a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework.” The HITRUST CSF is designed to unify security controls from federal law, such as HIPAA, state law, and non-governmental frameworks, like PCI-DSS, into a single framework tailored towards use in the healthcare industry. \
Due to the nature of HITRUST, including protection of Personally Identifiable Information (PII) and cardholder information, an increasing number of AWS customers, especially those that are healthcare payers, are achieving compliance with HITRUST CSF while using the AWS Cloud.
To become HITRUST certified, organizations typically follow a 5-step process similar to the following:
- Leverage the HITRUST CSF assessment tool to identify applicable HITRUST Controls
- Determine controls related to AWS services per the AWS Shared Responsibility Model and compliance policies
- Complete HITRUST CSF assessment and engage a third-party HITRUST auditor to test controls
- Organization and auditor both submit their assessment to HITRUST for review via the MyCSF Portal
- Achieve HITRUST certification
How Does AWS Help?
AWS employs a Shared Responsibility Model for security and compliance. This means that AWS manages security of the Cloud and its underlying infrastructure, while security in the Cloud is the responsibility of the customer. Customers have a broad range of controls they can implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter. In the context of compliance, this means AWS offers customers compliance-ready infrastructure and provides tools and services customers can use to be compliant on the AWS Cloud.
To help customers with their HIPAA and/or HITRUST compliance, AWS provides access to a suite of both AWS-native tools and services designed for use by customers to secure their workloads and encrypt and obfuscate PHI. Customers can also connect with APN Partners, in particular AWS Healthcare and Life Sciences Competency Partners, with tools and services that can help them manage their compliance requirements. AWS offers customers who need a business associate agreement under HIPAA a standard Business Associate Addendum (BAA) to the AWS Customer Agreement, which takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.
The BAA provides a clear list of HIPAA-eligible services, examples including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Redshift, and Amazon Elastic MapReduce (Amazon EMR), that customers can use to process, store, and transmit PHI under the BAA. You can learn more about how to architect for HIPAA compliance on the AWS Cloud here.
APN Partners offering services on AWS, such as those who’ve achieved the AWS Healthcare and Life Sciences Competencies, may also be able to assist with customers’ HIPAA and/or HITRUST compliance needs. For example, APN Partner ClearDATA, an Advanced Consulting Partner with the Healthcare Competency, is HITRUST-certified and offers a BAA for customers using its services.
More Info on HIPAA and HITRUST on AWS
This past week, we published our newest Quick Start Reference Deployment AWS Enterprise Accelerator: HIPAA Compliance on AWS.
This new Quick Start deploys a standardized environment that supports compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). The Quick Start was built by AWS solutions architects and compliance experts who have migrated and deployed workloads that are within scope for HIPAA compliance. It supports the technical controls within the 52 statutes of HIPAA Phase 1 and the 180 statutes of HIPAA Phase 2. Download the deployment guide and learn more >>
To provide additional information on HIPAA, HITRUST, and PHI and some of the work from our HCLS Partners today we will feature posts that discuss Life Sciences Competency Partner REAN and Healthcare Competency Partners ClearDATA and hc1.com.
For more information regarding HIPAA on AWS, click here.
Coming up in AWS Healthcare and Life Sciences Week…
- Profile of Healthcare Competency Partner ClearDATA focusing on HITRUST and discussing the company’s expertise in applying DevSecOps principles on AWS
- Profile of Healthcare Competency Partner hc1.com detailing the hc1 Platform and the team’s approach to HIPAA compliance on AWS
- Profile of Life Sciences Competency Partner and Premier Consulting Partner REAN Cloud detailing REAN’s approach to logging, monitoring, and continuous compliance, and the importance of automation in this space
- A guest post from AWS Marketplace
- A profile of AWS Healthcare Competency Partner Cloudticity and how the firm drives automation and cross-segment innovation
- A technical recap from Partner SA Aaron Friedman, highlighting additional HCLS-focused Partners and solutions
- Recap of HCLS week and what to look forward to heading towards HIMSS