Contact Sales

You can use AWS to build applications that are compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA). If you plan to run applications that have protected health information as defined by HIPAA, your AWS representative can provide you with our Business Associate Agreement (BAA).

Any AWS service can be used in a healthcare application, but services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information (PHI) as defined by HIPAA.

View the current list of services covered by the AWS BAA »

Using AWS for HIPAA applications means following some general strategies, such as:

  • Decoupling protected data from processing/orchestration
  • Tracking where data flows using automation
  • Have logical boundaries between protected and general workflows

Examples of common architecture patterns are shown below. It is recommended that you do your due dilligence, and consult AWS or your internal compliance department before implementing.

 

Example 1: Separate Amazon Virtual Private Clouds (VPC) for PHI and non-PHI data. The right hand VPC is used to test a mobile app, while the left-hand VPC stores and processes PHI. PHI does not flow from the left-hand to the right-hand VPC. Note: Left-hand VPC must be architected to be consistent with our HIPAA guidance, including use of dedicated tenancy when Amazon EC2 instances store, process, and transmit PHI.

Diagrams_Healthcare_hipaa_vpc

Example 2: Indirection strategy. When a new object containing PHI is written to S3, an S3 trigger signals AWS Lambda to write the appropriate metadata to an Amazon SQS queue. A service running on Amazon EC2 polls the SQS queue, and if new data is available, pulls the PHI data from S3. A second Lambda function triggers a mobile alert, notifying that processing of data has begun. Note that in this example, Lambda and SQS is not used to store, process, or transmit any PHI; these services are only used to orchestrate services or notify when jobs should begin.

Diagrams_Healthcare_hipaa_indirect

hipaa-on-aws-architecture

HIPAA Quick Start Guide

We can help you get started with a consultation from our sales and architecture organization, or you can begin your own pilot today.

Contact AWS Sales | Create an AWS Account