Gazelle Consulting

Is Amazon Web Services HIPAA Compliant?

Amazon AWS

If you provide software services for healthcare providers or are a healthcare provider that manages an internal software system to store and transmit PHI, you might be wondering whether Amazon AWS is a HIPAA compliant solution. Amazon has made it clear that AWS is an eligible candidate to consider when deciding how to build your HIPAA compliant system.


Amazon does a good job of describing its HIPAA eligible services but being HIPAA compliant requires a deeper understanding of how your organization processes PHI and what is required by The US Department of Health and Human Services (HHS). Amazon can help you understand how to implement technical security controls, but your organization also needs to meet requirements from regarding the HIPAA Privacy Rule and HIPAA Security Rule. These requirements are not directly associated with AWS and include conducting periodic HIPAA risk assessments, HIPAA training, system activity monitoring and much more. However, HIPAA’s technical requirements apply to all IT systems, including AWS. Technical controls that must be considered when configuring AWS in a HIPAA compliant environment include:

  • Access Control
  • Audit Controls
  • Encryption
  • Integrity
  • Person or Entity Authentication
  • Transmission Security
For more detailed information on implementing technical safeguards in your information systems, visit the HHS’s HIPAA Security Series on Technical Safeguards.

Which AWS Services are HIPAA Compliant?

A HIPAA compliant AWS architecture can be designed using EC2 instances, S3 buckets, RDS, Elastic Load Balancing or any other AWS services, but the services must be utilized correctly. A basic understanding of web application security is a good start, but HIPAA introduces a long list of security controls your team may not be aware of. Every AWS environment and business that uses them are different, and the controls that you implement for HIPAA compliance will depend on your IT security strategy. Below are a list of potential security controls that can be configured in AWS to meet your organization’s compliance goals:

  • Ensure PHI stored at rest in RDS is encrypted using keys managed through AWS Key Management Service (AWS KMS)
  • Encrypt data at rest using file-level or full disk encryption
  • Configure Virtual Private Cloud Flow Logs to provide an audit trail of connections to instances processing, transmitting or storing PHI
  • Force connections over HTTPS when accessing PHI stored in S3 buckets
This is list is not exhaustive, by any means, and a more comprehensive take can be found in this AWS HIPAA Compliance White Paper.

AWS HIPAA QuickStart

The fastest way to find out if your plans for AWS are HIPAA compliant is to send Gazelle Consulting a message from our Contact page or call 1-503-389-5666. Our experienced HIPAA compliance consultants will act quickly to prioritize and address your most critical concerns. The next best thing to do is get familiar with resources provided by Amazon themselves like the AWS HIPAA Compliance White Paper, AWS HIPAA FAQs part 1 and part 2, and the AWS HIPAA Compliance Overview page.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What if patient records get lost or deleted?

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • What is the Purpose of HIPAA?

    What is the purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!