Supporting customers in the context of DiGAV compliance
A growing number of healthcare providers, payers, and IT professionals are using Amazon Web Services’s (AWS’s) secure, flexible, and scalable utility-based cloud services to process and store data including personal data. AWS provides a number of industry-leading tools to support customers address local regulatory and legislative requirements, including the German Digital Supply Act (DVG) and associated Digital Health Applications Ordinance (DiGAV), as they move healthcare workloads to the cloud.
What is DiGAV and what does it mean for AWS customers?
DiGAV was introduced in April 2020 to support the digitization of the German health system. DiGAV enables certain healthcare applications to be recognized as refundable under the German statutory health insurance system. However, for organizations to comply with and enable eligibility for reimbursement through DiGAV, they must demonstrate that their applications meet DiGAV data protection requirements, including that personal data is processed exclusively within the European Economic Area (EEA) or a country with an adequacy decision by the European Commission based on Article 45 of the EU General Data Protection Regulation (GDPR).
DiGAV represents an opportunity for AWS customers to launch digital health applications in Germany and leverage the scale and security of the cloud to support better patient experience, engagement, and health outcomes. To help customers comply with DiGAV’s data processing location requirements, AWS offers services and technical guardrails that can enable data processing only within the EEA.
How is AWS supporting customers?
For the last decade organizations have focused on digitizing healthcare. In the next decade, providing tools and applications to improve health will provide an opportunity to transform care and patient and caregiver experiences. However, this transformation will primarily depend on data flowing where it needs to, at the right time, and supporting this process in a way that is secure, protects patients’ health data, and addresses regulatory requirements.
AWS supports customers by providing transparency about the Privacy Features of AWS Services to help customers determine which AWS services can be used without transferring data from the AWS region(s) selected by the customer. By selecting AWS services that do not transfer customer data and properly configuring those services for use from AWS regions located within the EEA, customers can enable EEA-only data processing. This enables customers to build and run applications on AWS that are intended to be reimbursed under DiGAV. In addition, customers can access the AWS GDPR Center to learn more about using AWS services in compliance with GDPR.
AWS also provides technical tools (such as the AWS Service Control Policies) that support customers in blocking the usage of AWS services in regions outside of the EEA. To make the application of these restrictions easier for customers, AWS has published the DiGAV Blueprint, a tool that supports customers in putting corresponding technical guardrails in place. In accordance with the AWS Shared Responsibility Model, it is the customer’s responsibility to ensure configuration of services in a way that does not trigger data processing outside of the EEA (e.g., by not enabling S3 cross-region replication or similar features).
To further support customers in fulfilling DiGAV-requirements, AWS has also provided strengthened commitments to protect customer data for all customers whose processing of personal data in AWS is subject to GDPR. This includes robust contractual commitments regarding data disclosure requests by governmental bodies.
To demonstrate adequate data protection measures, customers are commonly asked to present a data protection concept documenting applicable technical and organizational protection measures (TOMs). AWS can offer customers an example of such documentation for solutions on AWS that contain relevant information about AWS services. Check out our FAQ to learn more.
Supporting the healthcare and life sciences industry
Customers can use AWS resources to help them choose appropriate AWS services and put technical safeguards in place to help make sure they comply with EEA-only data processing for personal data, including health data and documents, and to demonstrate DiGAV compliance on AWS to regulators.
Our customers in the healthcare and life sciences industry are innovating using AWS services to improve access to and delivery of care to the right patient at the right time. As regulations continue to evolve in this space, we are working hard to help customers respond to new rules and guidelines and to meet the highest standards in security, data protection, and regulatory compliance.