EHR systems are the hub of clinical data and clinical workflows in healthcare today making EHR integrations, like HL7 and FHIR, an essential driver of healthcare transformation. We break it down for you here.
Amazon Web Services (AWS) + Datica are a match made in HIPAA compliance heaven. Developers can deploy application workloads to their Datica environment instead of directly to AWS to eliminate the burden of compliance. With the Datica Platform, you get all the great benefits of AWS as the foundation our platform, plus Datica automates all DevOps and DevSecOps requirements on the cloud. With AWS + Datica, developers can deploy AWS services & workloads in minutes that are fully in compliance with HIPAA and HITRUST.
This resource page is meant to help you understand how AWS and Datica work together for makers of digital health products to deploy HIPAA compliant workloads in the easiest, most economical, and fastest way possible.
Amazon Web Services (AWS), like Microsoft Azure, Google Cloud, or IBM Softlayer, provides infrastructure-as-a-service (IaaS) in the form of a Public Cloud. In a Public Cloud, the data centers are owned and managed by the cloud provider but are made available through a shared service model to the general public or industry groups.
Healthcare developers often prefer public clouds like AWS since pay-as-you-go pricing models provide economies of scale and the same levels of security and compliance can be achieved today as on private clouds.
AWS is an Infrastructure as a Service (IaaS) offering. Datica is a Platform as a Service (PaaS) company and Datica is an APN Healthcare Partner of Amazon AWS. Our PaaS requires an IaaS, and we use AWS by default at all levels of our platform. At the enterprise-level, the Datica Platform is also available on multiple clouds including Microsoft Azure, Rackspace, or IBM SoftLayer. When it comes down to it, we basically make AWS easier to use for the healthcare developer market. It’s less expensive, less time-intensive, less risky, and a better experience to use Datica to reap the benefits of AWS than for makers of digital health applications to deploy on AWS directly.
Being compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA) is not easily defined. So, is AWS HIPAA compliant? Yes! But, to be clear, just because AWS is HIPAA compliant and your application runs on AWS doesn’t mean that you are HIPAA compliant too. Here’s where it gets complicated. AWS is HIPAA compliant exactly to the extent they are required to be at the infrastructure level and as spelled out in their Business Associate Agreement (BAA).
You’re not building infrastructure though, you are building an application and that adds greatly to the list of HIPAA controls that apply to you. In other words, the specific subset of the hundreds of HIPAA controls that apply to your company and product is a different subset than those that apply to AWS. To be deemed HIPAA compliant, and prove that with a HITRUST Certification, you only need to comply with the subset of controls that apply in your case.
Those additional controls vary depending on your specific case but, generally, include additional infrastructure-level controls, application-level controls and controls at the company level. AWS has what they call a shared responsibility model which means when you build your application directly on top of AWS, you have to take it the other 90% of the way toward HIPAA compliance.
Datica’s platform includes AWS and takes you the rest of the way down the path toward full HIPAA compliance at the infrastructure level, and further down the path toward compliance at the company and application levels so you can focus on the functionality of your application and not on compliance. With Datica, you get a compliant platform for deploying and managing critical healthcare applications in the cloud.
HIPAA kicks in when a digital health product handles Protected Health Information (PHI). There are several different categories of PHI, like someone’s name, home address, or phone number. When a digital health product stores, processes, or transmits PHI, HIPAA asserts rules as to how it should handle a multitude of security, privacy, and policy procedures, called “controls”. In HIPAA terms, there are physical, technical, and administrative “safeguards”. Datica manages the physical and technical safeguards of HIPAA at the infrastructure-level, leaving you to the administrative HIPAA safeguards, which are almost always custom to your organization, and a few remaining technical safeguards within your application code itself. Thus, Datica provides more than two-thirds of what it takes to be HIPAA compliant. Demonstrating that a company and its digital health product meets all those controls is how it can call itself compliant.
AWS offers about 53 different services, or cloud primitives, to provide a great amount of flexibility in order to make it possible for any AWS healthcare developer to bundle what they need for their application’s infrastructure. Some well-known examples of these services are Amazon EC2, Amazon S3, and Amazon RDS. We bundle a subset of those 53 primitives (a majority of the 37 that are HIPAA-eligible services like CloudTrail (for logging) and S3 (for object storage) together into the Datica Platform to address the specific use case of building, maintaining, and running a cloud-based digital health application that creates, receives, maintains, or transmits PHI in a HIPAA compliant manner.
Here’s a high-level summary: The AWS shared responsibility model grants excellent security for the security OF the cloud but customers (you) are still responsible for security IN the cloud. That means, if you were to deploy your application right on AWS instead of the Datica Platform, you’d be responsible for setting up and maintaining everything beyond the basic cloud infrastructure — and that includes not only the work and expense to do that but also the risks of security for everything else.
The cloud infrastructure that AWS is responsible for includes the hardware, software, networking, and facilities that run AWS Cloud services.
Customers of Datica benefit from the fact that our BAA extends the security coverage of AWS HIPAA Compliance to pick up responsibility where AWS leaves off. Another way to think of it is that AWS takes your infrastructure about 10% of the way toward HIPAA Compliance, while if you use the Datica Platform, Datica’s HIPAA mappings take you much further toward 100% compliance. That means you not only eliminate the need for the labor, expense, or time of all of the above, but you also pass the risk of security onto Datica for everything our much more extensive BAA covers.
When making the decision on whether to build out the requisite infrastructure for your application yourself vs. buying the pre-built Datica Platform that already includes AWS, here are the major points to keep in mind:
If you build everything yourself, you also shoulder the risk. In contrast, Datica’s BAA takes on all of the infrastructure-level risk. Make life easier with a single BAA from Datica.
Aligning Business Associate Agreements amongst all technology partners is a full-time job. You sign one BAA with Datica to cover the entirety of compliance in the cloud, including AWS HIPAA compliance.
The major part of security in healthcare is HIPAA, and the HIPAA rules changed in late 2013 with the new HIPAA Omnibus that adds subcontractors entities.
Business associates and subcontractors need a HIPAA disaster recovery contingency plan in place to maintain the integrity of ePHI in case of a disaster.
While HIPAA Compliance at the infrastructure level is heavy on technology, HIPAA Compliance at the application level is more of a blend of technology and policy.
What exactly is multi tenant cloud and does Datica Compliant Cloud offer a multi tenant environment?
With ePHI access, business associates are required to sign a HIPAA business associate agreement (BAA). Learn more about business associate agreements here.