Is Amazon Web Services/AWS HIPAA Compliant?

If you provide software services for healthcare providers or are a healthcare provider that manages an internal software system to store and transmit PHI, you might be wondering whether Amazon AWS is a HIPAA compliant solution.

Amazon has made it clear that AWS is an eligible candidate to consider when
building a HIPAA compliant system.

Amazon Web Services (AWS) and HIPAA Compliance

Amazon does a good job of describing its HIPAA eligible services, but being HIPAA compliant requires a deeper understanding of how your organization processes PHI and what is required by The US Department of Health and Human Services (HHS).

Amazon can help you understand how to implement technical security controls, but your organization also needs to meet requirements from HHS.gov regarding the HIPAA Privacy Rule and HIPAA Security Rule. These requirements are not directly associated with AWS and include conducting periodic HIPAA risk assessments, HIPAA training, system activity monitoring and much more.

However, HIPAA’s technical requirements apply to all IT systems, including AWS. Technical controls that must be considered when configuring AWS in a HIPAA compliant environment include:

  • Access Control
  • Audit Controls
  • Encryption
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

For more detailed information on implementing technical safeguards in your information systems, visit the HHS’s HIPAA Security Series on Technical Safeguards.

Which AWS Services are HIPAA Compliant?

A HIPAA compliant AWS architecture can be designed using EC2 instances, S3 buckets, RDS, Elastic Load Balancing or any other AWS services, but the services must be utilized correctly. A basic understanding of web application security is a good start, but HIPAA introduces a long list of security controls your team may not be aware of.

Every AWS environment and business that uses them are different, and the controls that you implement for HIPAA compliance will depend on your IT security strategy. Below are a list of potential security controls that can be configured in AWS to meet your organization’s compliance goals:

  • Ensure PHI stored at rest in RDS is encrypted using keys managed through AWS Key Management Service (AWS KMS)
  • Encrypt data at rest using file-level or full disk encryption
  • Configure Virtual Private Cloud Flow Logs to provide an audit trail of connections to instances processing, transmitting or storing PHI
  • Force connections over HTTPS when accessing PHI stored in S3 buckets

This is list is not exhaustive, by any means, and a more comprehensive take can be found in this AWS HIPAA Compliance White Paper.

AWS HIPAA QuickStart

It’s good to get familiar with resources provided by Amazon themselves, like the AWS HIPAA Compliance White Paper, AWS HIPAA FAQs part 1 and part 2, and the AWS HIPAA Compliance Overview page. The fastest way to find out if your plans for AWS are HIPAA compliant is to send Gazelle Consulting a message from our Contact page or call 1-503-389-5666. Our experienced HIPAA compliance consultants will act quickly to prioritize and address your most critical concerns.

Takeaways

  • Amazon Web Services (AWS) can be HIPAA compliant with proper security configuration and administrative controls
  • Check out our blog for more guidance on Choosing HIPAA Compliant Software

Are you unsure if Amazon Web Services is the right for your business?

Gazelle Consulting is here to help! Call us today at (503) 389-5666, email us at info@gazelleconsulting.org, or contact us here. We can answer all of your HIPAA compliance questions and help you feel as confident as a lion in a grassy savanna.

Nav close