Master the complexities of cloud compliance with expert resources and relevant insights.

AWS HIPAA Compliance: 5 Best Practices

US law requires all healthcare organizations and their business associates to follow the Health Insurance Portability and Accountability Act (HIPAA). HIPAA standards protect medical records, prevent fraud, and maintain standards for electronically transmitting patient data. While these are all good things, it means organizations investing in innovative technologies, like the cloud, need to tread carefully to stay compliant.

Amazon Web Services (AWS) is a popular cloud platform that gives organizations more storage and computing power. It’s a great way to create modern, scalable digital systems that can streamline your organization’s processes and workflows. But although AWS offers some features that can help customers meet compliance requirements, healthcare organizations and their business associates can’t rely solely on AWS to ensure compliance. Ultimately, it’s your responsibility to follow HIPAA requirements while using AWS. Follow these five best practices to enjoy the convenience of AWS while staying HIPAA compliant.

Don’t Assume AWS Complies with HIPAA

Although AWS is a helpful tool for healthcare organizations, HIPAA doesn’t offer cloud certifications for providers like AWS. Although AWS caters to healthcare organizations, you can’t assume that AWS is HIPAA compliant. It’s still your responsibility to configure your cloud infrastructure for compliance, so never assume that AWS covers compliance for you.

Make sure you’re well-versed in AWS before you roll it out across your organization. Understand which AWS settings are HIPAA compliant so you can correctly configure your account for compliance. You can start by analyzing your AWS settings and automations, but always run your compliance needs by your internal team or legal counsel to make sure you’re ticking all the boxes.

Sign a BAA with AWS

Amazon will sign a Business Associate Agreement (BAA) where they agree to share some of the legal responsibilities of HIPAA compliance with you. You can request a BAA in the AWS Management Console.

AWS does accept some responsibility for HIPAA compliance with its Shared Responsibility Model. This means that Amazon handles security in the cloud while you manage administrative security. In practice, this means:

  • Amazon secures computing, storage, database, and availability.

  • You secure your applications, operating systems, firewall, etc.

In other words, Amazon is responsible for its infrastructure, and you’re responsible for everything else.

Use Only HIPAA-Compliant AWS Services

Thousands of organizations across several industries use AWS—Amazon didn’t design this solution from the start with HIPAA in mind. That means only certain AWS applications are HIPAA compliant. 

When you sign a BAA with AWS, the agreement will list which services comply with HIPAA. If you’re trying to use a service that isn’t on that list, it likely isn’t HIPAA compliant and could lead to fines, or worse, make your business vulnerable to a data breach.

When in doubt, consult Amazon’s Architecting for HIPAA Security and Compliance on Amazon Web Services white paper for more guidance on how to set up HIPAA-compliant AWS services.

Lock Down Your AWS Data

Amazon bears some of the responsibility for securing AWS, but you still need to secure your data. Follow security best practices by implementing security measures such as:

  • SSL certificates

  • Encryption

  • Multi-factor authentication

… to comply with HIPAA in AWS.

You should also implement access controls to limit who has access to patient information. Since AWS makes it easy to create admin and user roles with different levels of permissions, you can easily customize security for your account.

You should also follow other security best practices to stay HIPAA compliant in AWS. Don’t create joint or shared passwords and remember to update your passwords, keys, and other credentials regularly.

Leave a Paper Trail

You’re probably already documenting everything you implement to meet and maintain HIPAA compliance, which is a great start. But if you’re using AWS, you need to document your compliance in this platform, too. Your documentation needs to show:

  • Who is accessing patient data

  • Any modifications or changes to patient data

  • How you encrypt patient data during transmission and storage.

  • Flow and access logs

  • Proof of ongoing monitoring and alarms

  • How you addressed breaches, if any

Don’t rely on AWS to document this for you. Log everything so you have documentation in hand when audit season rolls around. 

Stay Compliant in the Cloud

Healthcare organizations use cloud services like AWS to deliver better service and run a more streamlined, modern business. It’s possible to leverage the best of cloud technology within the confines of HIPAA requirements, but you have to tread carefully. Following the five best practices described above will help you maintain compliance while you enjoy the benefits of the AWS cloud.

As difficult as HIPAA compliance is in the cloud, HIPAA is the bare minimum for protecting your patients. If you want to master both HIPAA compliance and other layers of security, try automating cloud compliance with Datica. We simplify cloud compliance with the power of automation, giving you the freedom to focus on what matters most.