HIPAA Compliant Architecture in AWS


As more and more healthcare providers, hospitals, and health data service providers make the move to the cloud, they are doing so with measured precaution. They see the benefits of making their operations more agile and secure using the correct cloud service provider who they can partner with to deliver a HIPAA compliant solution.

So What is a Business Associate or a Business Associates Agreement?

According to HHS: A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

With the release of the HIPAA final rule, business associates are directly regulated under HIPAA, but business associate agreements / contracts are still required.

AWS HIPAA Services that can be covered under a BAA agreement:

HIPAA Compliant AWS Services

HIPAA Compliant AWS Services are outlined in more detail in the newly updated whitepaper released by Amazon Web Services, named Architecting for Security and Compliance on Amazon Web Services. While these reference materials are a great source of information, they can often be difficult to digest. This is the reason for relying on consultants who have a proven track record of success in the area of compliance.

It’s important to note that customers may process, store or transmit ePHI (electronic Personal Health Information) only using eligible services. One of the reasons for this is although all AWS services have been measured up to a high standard, these services are set to a much higher standard.

Those who are familiar with Amazon Web Services will notice that many of the managed service offerings have been left off this list. Does this mean that companies who deal with HIPAA compliance cannot use these services? It does not, but it does mean that a company cannot use the whole breadth of AWS services, but it is limited to those approved services that are in contact with ePHI.

There are other restrictions when dealing with ePHI. These are items such as:

  • Customers must encrypt ePHI both in transit and at rest.
  • Customers must use EC2 dedicated instances for processing, storing, or transmitting ePHI.
  • Customers must record and retain activity related to the use and access to ePHI.

Let’s take a quick look at how AWS makes managing encryption at rest a much easier process using their KMS (Key Management Service).

Inside of the IAM console, you can create a key to use on services that use storage. It is important to remember when either planning your key management strategy that the encryption keys that are managed by the KMS service are region specific. This means that a key that is being used to encrypt data on storage in the US-East-1 region cannot be used as the same key for the US-West-2 region.

Prior to KMS, companies had to use either unique encryption methods, third party services, or CloudHSM in order to protect their data at rest among many different AWS service offerings. Keeping track of these solutions and logging their access could quickly become an operational and management nightmare. This all changed however once Amazon Web Services introduced Key Management Service. KMS works with a plentiful number of the services that actually store data including S3 & EBS for storage and content delivery, RDS and Redshift for databases, Amazon EMR for Data Analytics, as well as incorporating their enterprise application Amazon Workmail to take advantage of KMS encryption methods.

HIPAA Compliant AWS Services 2

One of the main things to remember according to the HIPAA privacy rule is that you need to delegate out the duties of a Privacy Officer. This is a position whose responsibilities include seeing that the privacy policies and procedures are assumed and followed. This means that the person maintaining the keys, their permissions and rotation cannot be the same person or team(s) actively using the keys.

You may be wondering why the Identity and Access Management and Key Management services are not on this list. Although these components play an essential part of conforming and mapping to HIPAA and NIST regulations, as services themselves, never should hold any ePHI and do not fall under the necessity of the BAA agreement.

Moving your healthcare operation to the cloud should be done with care and choosing the proper professional service provider can be a crucial step in that process. If you and your organization are dealing with regulatory compliance and protected information such as ePHI or Personal Identifiable Information (PII), contact Relus to see a presentation of the mappings of HIPAA regulations to AWS services.

Stay tuned for the second part of our series where we talk about dealing with your audit trails in AWS, an essential part in HIPAA and other compliance frameworks such as PCI DSS, SOC2, Sarbanes-Oxley as well as other frameworks.

Always be in the Know, Subscribe to the Relus Cloud Blog!