Contact Sales

You can use AWS to build applications that are compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA). If you plan to run applications that have protected health information as defined by HIPAA, your AWS representative can provide you with our Business Associate Agreement (BAA).

Any AWS service can be used in a healthcare application, but services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information (PHI) as defined by HIPAA.

View the current list of services covered by the AWS BAA »

Using AWS for HIPAA applications means following some general strategies, such as:

  • Decoupling protected data from processing/orchestration
  • Tracking where data flows using automation
  • Have logical boundaries between protected and general workflows

Examples of common architecture patterns are shown below. It is recommended that you do your due dilligence, and consult AWS or your internal compliance department before implementing.

 

Example 1: Separate Amazon Virtual Private Clouds (VPC) for PHI and non-PHI data. The right hand VPC is used to test a mobile app, while the left-hand VPC stores and processes PHI. PHI does not flow from the left-hand to the right-hand VPC. Note: Left-hand VPC must be architected to be consistent with our HIPAA guidance.

Diagrams_Healthcare_hipaa_vpc

Example 2: Indirection strategy. When a new object containing PHI is written to S3, an S3 trigger signals AWS Lambda to write the appropriate metadata to an Amazon SQS queue. A service running on Amazon EC2 polls the SQS queue, and if new data is available, pulls the PHI data from S3. A second Lambda function triggers a mobile alert, notifying that processing of data has begun. In this example only S3 and EC2 are used to store, process, and transmit all PHI data; Lambda and SQS are only used to orchestrate services or notify when jobs should begin.

Note: Lambda is not currently a HIPAA-eligible service and cannot be used to store, process, or transmit PHI. SQS is a HIPAA-eligible service and is covered under the AWS BAA if you choose to use it in your HIPAA-compliant applications.

Diagram_Healthcare_Compliance

We can help you get started with a consultation from our sales and architecture organization, or you can begin your own pilot today.

Contact AWS Sales | Create an AWS Account