AWS Security Blog

Frequently Asked Questions About HIPAA Compliance in the AWS Cloud: Part Two

In a previous blog post, Frequently Asked Questions About HIPAA Compliance in the AWS Cloud, I looked at some of the broad questions you have asked us about running protected health information (PHI) in the AWS cloud.

In this blog post, I will take a closer look at the more technical questions we hear from you about Health Insurance Portability and Accountability Act (HIPAA) compliance.

Do I need to encrypt PHI to meet AWS’s BAA requirements?

Yes, you must encrypt at rest and in transit all PHI that is processed, stored in, or transmitted using the AWS HIPAA Eligible Services.

Why are only limited services available to process, store, or transmit PHI?

Although additional AWS services have robust security and are covered by a variety of voluntary industry certifications, HIPAA imposes regulatory obligations and requirements that must be met as well. AWS limits the HIPAA eligibility of services to those that meet the HIPAA requirements applicable to our operating model by aligning our HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66, “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” which documents how NIST 800-53 aligns to the HIPAA Security Rule.

Can I use non-eligible services in an account marked as “HIPAA”?

Under the AWS BAA, you must identify each account that contains PHI as a HIPAA account. You may use any AWS service within that account; however, you may only process, store, or transmit PHI on eligible services.

If I process, store, or transmit PHI on AWS, but do not have a BAA in place, is AWS obligated to inform me of a security breach?

AWS does not access your data. As a result, AWS has no method of determining when PHI is processed, stored, or transmitted with the services used by any specific account. Unless you execute a BAA with AWS that specifies which accounts will process, store, or transmit PHI, AWS would have no way of determining whether a security breach exposed unsecured PHI or whether PHI was improperly used or accessed. You must have a BAA in place with AWS in order to ensure you will be notified in the event of a security breach that exposes PHI.

HIPAA requires that business associates extend security and privacy requirements to its subcontractors. Does AWS use subcontractors, and if so, how does AWS ensure that subcontractors protect PHI?

AWS does not have subcontractors with access to PHI. If AWS were to use subcontractors with access to PHI, we would extend the obligations of the BAA to that relationship.

Can I use Glacier for long-term archival of PHI as long as it is encrypted?

Yes. Glacier is an eligible service and encrypts data at rest by default.

Can I use AWS Key Management Service (AWS KMS) to encrypt PHI in my HIPAA account?

Master keys in KMS can be used to encrypt and decrypt keys that are used to encrypt actual PHI in customer applications or in AWS services that are integrated with KMS. Just do not send PHI directly to KMS using the Encrypt() or Decrypt() APIs. Like any AWS service, you can use KMS in conjunction with a HIPAA account, but PHI may only be processed, stored, or transmitted on eligible services. KMS is not an eligible service, but you can use it to generate and manage keys for applications running in other eligible services. For example, an application processing PHI in EC2 could use the GenerateDataKey API call to generate data encryption keys for encrypting and decrypting the PHI in the application. The data encryption keys would be protected by customer master keys (CMKs) stored in KMS, creating a highly auditable key hierarchy.

The HIPAA Security Rule requires auditing of access to PHI. How do I implement auditing and logging in AWS?

As part of the AWS Shared Responsibility Model, you must implement auditing and logging on your instances in a manner sufficient to meet your compliance requirements. AWS makes logging and log analytics architectures simple to implement. AWS also has a variety of partners available in the AWS Marketplace that provide security logging solutions.

For additional information about auditing and logging, see Architecting for HIPAA Compliance on AWS from AWS re:Invent 2015.

Can I use CloudWatch Logs to monitor compliance with HIPAA regulations?

You can send log messages to CloudWatch Logs, but the logs cannot contain PHI because CloudWatch is not a HIPAA Eligible Service. If you want to send logs to CloudWatch Logs from your applications or infrastructure, you should scrub PHI from the logs before you send the messages. Alternatively, you could run your own log management and search applications on EC2 instances, and send your logs using encrypted transport.

If you are a SaaS provider of healthcare services and sign a BAA with AWS, do your customers (such as a hospital or physicians’ group) need to sign a BAA with AWS?

No. This is a very common scenario—a number of innovative billing, claims processing, and other health-related SaaS companies host their solutions on AWS. In this case, the hospital or physicians’ group is known as the covered entity under HIPAA. In this case, each healthcare provider or covered entity would establish a BAA with the SaaS provider, and the SaaS provider would establish a BAA with AWS. The contracting structure would look like this:

Diagram of the contracting structure

In many cases, the covered entity may also be a customer of AWS and have their own BAA with AWS. That does not remove the need for a SaaS provider to also have a BAA with AWS.

I see you added new services. Do I need to update my BAA?

We have worded the BAA in such a way that AWS can add HIPAA-eligible services for your use without requiring you to update the contract. You can visit the HIPAA page on the AWS Compliance website, or see this HIPAA whitepaper for a list of eligible services.

I am seeking accreditation under EHNAC. Can I obtain this accreditation while operating on AWS?

If you are an AWS customer seeking an Electronic Healthcare Network Accreditation Commission (EHNAC) accreditation, we want to make you aware of the recent announcement by EHNAC of their Cloud Enabled Accreditation Program (CEAP). Per EHNAC, this program is available to organizations who are already EHNAC accredited or have become candidates of at least one other EHNAC accreditation program. Developed through EHNAC’s standards development process involving healthcare industry members, CEAP is offered exclusively for the users of FedRAMP-certified cloud service providers (CSPs), such as AWS. AWS participates in the CEAP Advisory Group and criteria development as an industry participant only, but does not vote on, approve, or endorse the criteria.

Please contact and work directly with EHNAC for additional information about your application to the CEAP accreditation program. For more information about the EHNAC program, see the EHNAC Cloud Enabled Services page. You also can download the specific draft-CEAP criteria. As you work with EHNAC through the CEAP accreditation process, feel free to contact AWS directly for anything related to implementing the CEAP criteria on AWS.

If you have additional questions about HIPAA compliance, contact us. If you would like to learn more generally about compliance in the cloud, see our AWS Cloud Compliance page.

– Chad