A large and growing number of healthcare providers, payers and IT professionals are using AWS's utility-based cloud services to process, store, and transmit PHI.
AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information.
AWS offers a HIPAA-focused Whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The "Creating HIPAA-Compliant Medical Data Applications with AWS" whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The legislation was designed to make it easier for workers to retain health insurance coverage when they change or lose their jobs. The legislation also sought to drive the adoption of electronic health records to improve the efficiency and quality of the American healthcare system through improved information sharing.
Along with increasing the use of electronic medical records, the law included provisions to protect the security and privacy of Protected Health Information (PHI). PHI includes a very wide set of personally identifiable health- and health-related data, from insurance and billing information, to diagnosis data, clinical care data, and lab results such as images and test results. The rules apply to "Covered Entities", which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that deal directly with patients and patient data. The law and regulations also extend the requirement to protect PHI to "Business Associates".
HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act in 2009. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the "Administrative Simplification" rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on how HIPAA and HITECH protect health information, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
The Health Information Trust Alliance, or HITRUST Common Security Framework (CSF) in their own words, "is a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework."
The HITRUST CSF serves to unify security controls from federal law, such as HIPAA/HITECH, state law, such as Massachusetts, and non-governmental frameworks, like COBIT and PCI-DSS into a single framework that is tailored for healthcare needs and use.
AWS provides a reliable, scalable, and inexpensive computing platform that can support healthcare customers' applications in a manner consistent with HIPAA, HITECH, and HITRUST CSF. As an example, one of our customers has created an environment within AWS that has been successfully audited for HIPAA/HITECH compliance, as well as HITRUST certified.
Under the Health Insurance Portability and Accountability Act (HIPAA), a "business associate" is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity and isn’t employed by the covered entity. A "business associate" also includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate – under the HIPAA regulations, Cloud Service Providers like AWS are considered business associates. The HIPAA Rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. AWS refers to these contracts as Business Associate Agreement Addendums.
Yes. AWS has a standard business associate agreement we will present to customers for signature. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.
There is no HIPAA certification for a cloud provider such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA security rule. NIST supports this alignment and has issued SP 800-66, "An Introductory Resource Guide for Implementing the HIPAA Security Rule," which documents how NIST 800-53 aligns to the HIPAA Security rule.
Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store and transmit PHI in the HIPAA-eligible services defined in the BAA. There are ten HIPAA-eligible services today, including AWS Snowball, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon Elastic MapReduce (EMR), Amazon Elastic Load Balancing (ELB), Amazon Glacier, Amazon Relational Database Service (RDS) [MySQL, Oracle, and PostgreSQL engines only], Amazon Aurora [MySQL-compatible edition only], Amazon Redshift, and Amazon S3.
AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control, and administrative processes required under HIPAA. Using these services to store and process PHI allows our customers and AWS to address the HIPAA requirements applicable to our utility-based operating model. AWS prioritizes and adds new eligible services based on customer demand.
For more information about our business associate program, or to request new eligible services, please contact us.
If you are an AWS SaaS partner with a BAA and you sell your SaaS solutions to healthcare providers or other covered entities, do those covered entities also need to sign a BAA with AWS?
No. This is a very common scenario and there are a number of innovative HIPAA solution partners running their SaaS offerings in AWS. In this case, each healthcare provider or covered entity would establish a BAA only with the SaaS partner, and the SaaS partner would establish a BAA with AWS. If the covered entity using the SaaS partner is also a direct customer of AWS for HIPAA-related systems, then the covered entity may need one BAA with the SaaS partner and another BAA with AWS.
AWS offers a HIPAA-focused Whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance.
- The Health Insurance Portability and Accountability Act (HIPAA)
- HITRUST Common Security Framework (CSF)
- HITECH Act Enforcement Interim Final Rule
- Healthcare Providers and Insurers in the Cloud
- Frequently Asked Questions About HIPAA Compliance in the AWS Cloud - Blog Post
- Frequently Asked Questions About HIPAA Compliance in the AWS Cloud: Part Two - Blog Post