AWS Cloud Operations & Migrations Blog

Audit Manager support for HIPAA Omnibus

The security of Protected Health Information (PHI) is at the center of the data universe for healthcare organizations. AWS Audit Manager helps healthcare companies manage their regulatory requirements with the Health Insurance Portability and Accountability Act (HIPAA) healthcare standard, gathering evidence using automation to support their compliance and audit needs.

The current HIPAA pre-built framework observes the requirements of the 2003 Final Security Rule and contains guidance and automated collectors for gathering manual and automated evidence. In 2013 the Final Omnibus Rule was issued, which incorporated provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

While the Final Omnibus Rule broadens security requirements from Covered Entities to include Business Associates, these differences have a minimal impact on how the Audit Manager identifies compliance and collects evidence within your environment. We recognize that some customers will want the final control language referenced in their Audit Manager assessments, and will now have this ability with the addition of the HIPAA Final Omnibus Security Rule 2013 framework.

  • HIPAA Security Rule 2003 – Selecting this framework in Audit Manager will utilize the existing HIPAA template, which reflects the 2003 security rule.
  • HIPAA Final Omnibus Security Rule 2013 – Selecting this new framework in Audit Manager will utilize the final security rule control language in your assessments.

About the author:

John Menich

John is a Senior Assurance Consultant at AWS Security Assurance Services. He has over twenty years experience leading information security governance, risk, and compliance operations. John is passionate about helping customers navigate the complex industry and regulatory landscape.