Using AWS for HIPAA applications means following some general strategies, such as:
- Decoupling protected data from processing/orchestration
- Tracking where data flows using automation
- Have logical boundaries between protected and general workflows
Examples of common architecture patterns are shown below. It is recommended that you do your due dilligence, and consult AWS or your internal compliance department before implementing.
Example 1: Separate Amazon Virtual Private Clouds (VPC) for PHI and non-PHI data. The right hand VPC is used to test a mobile app, while the left-hand VPC stores and processes PHI. PHI does not flow from the left-hand to the right-hand VPC. Note: Left-hand VPC must be architected to be consistent with our HIPAA guidance, including use of dedicated tenancy when Amazon EC2 instances store, process, and transmit PHI.
Example 2: Indirection strategy. When a new object containing PHI is written to S3, an S3 trigger signals AWS Lambda to write the appropriate metadata to an Amazon SQS queue. A service running on Amazon EC2 polls the SQS queue, and if new data is available, pulls the PHI data from S3. A second Lambda function triggers a mobile alert, notifying that processing of data has begun. Note that in this example, Lambda and SQS is not used to store, process, or transmit any PHI; these services are only used to orchestrate services or notify when jobs should begin.