HIPAA Compliance for AWS
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to help US workers keep their health insurance when they changed or lost their jobs. HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH established national standards for how healthcare organizations and their business associates use, share, and store the personal health information (PHI) of their patients or clients.
Cloud Service Providers like Amazon Web Services (AWS) are not directly regulated by HIPAA and HITECH, however they do need to meet strict federal data-security standards that align with the HIPAA Security Rule.
HIPAA Security Rule
The HIPAA Security Rule applies to health plans, health care clearinghouses, and any health care provider that transmits health information in electronic form. Among other regulations, it creates three levels of safeguards related to the protection of electronic PHI (e-PHI). These include administrative safeguards, technical safeguards, and physical safeguards.
Administrative Safeguards
- Security Management Process – Organizations must identify and analyze potential risks to e-PHI and implement security measures that reduce vulnerability to a reasonable level.
- Security Personnel – Organizations must designate security officials responsible for developing and implementing security policies and procedures.
- Information Access Management – Organizations must implement policies and procedures for authorizing access to e-PHI.
- Workforce Training and Management – Organizations must provide all employees or staff that work with e-PHI training and supervision regarding security policies and procedures. They must also apply appropriate sanctions against workforce members who violate the policies and procedures.
- Evaluation – Organizations must perform periodic assessments of how well their security policies meet the requirements of the Security Rule.
Technical Safeguards
- Access Control – Organizations must implement technical policies and procedures that allow only authorized persons to access e-PHI.
- Audit Controls – Organizations must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls – Organizations must implement policies and procedures to confirm that e-PHI is not improperly altered or destroyed.
- Transmission Security – Organizations must implement technical security measures that guard against unauthorized access to e-PHI being transmitted over an electronic network.
Physical Safeguards
- Facility Access and Control – Organizations must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security – Organizations must implement policies and procedures to specify proper use of and access to workstations and electronic media. They must also ensure protection of the transfer, removal, disposal, and re-use of electronic media containing e-PHI.
How can AWS help maintain HIPAA compliance?
AWS follows the risk management standards determined by the Federal Risk and Authorization Management Program (FedRAMP), which align with the HIPAA Security Rule.
FedRAMP
Cloud Service Providers that work with the US government must demonstrate FedRAMP compliance. FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800. Among other things, NIST SP 800 requires cloud service providers to complete an independent, third-party security assessment to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA).
AWS offers a wide range of tools and services to ensure HIPAA compliance with encryption, auditing, data back-up and disaster recovery requirements.
Encryption
HIPAA requires PHI to be encrypted while it is both in storage and being transmitted, according to guidance issued from the Secretary of Health and Human Services (HHS). AWS provides a variety of products and services like Key Management Service (AWS KMS) to help in the management and encryption of e-PHI.
Auditing
HIPAA eligible organizations must allow independent security analysts to audit their activity logs and records that track all access to PHI. This information must be stored for extended periods of time and be readily accessible during an audit. Amazon Elastic Computer Cloud (EC2) allows customers to store activity log files and detailed audits on their virtual servers. They can also keep track of IP traffic and save log files into Amazon Simple Storage Service (S3) for long-term reliable storage.
Data Backup and Disaster Recovery
HIPAA also requires organizations to keep and protect back up copies of e-PHI data in case of an emergency. Amazon Elastic Block Store (EBS) provides persistent storage for Amazon EC2 virtual server instances. Customers can store Amazon EBS files automatically in Amazon S3. When a file or image is saved, Amazon S3 automatically creates multiple redundant copies and stores them in separate data centers until intentionally deleted.