On Amazon AWS HIPAA Compliance (and How to Get There)
Amazon AWS HIPAA Compliance: How to Get There
We field a ton of questions on Amazon AWS HIPAA compliance: is Amazon AWS HIPAA compliant? Can it be? No worries. We’ve got the answers here.
Are you thinking about using Amazon Web Services (AWS) to build applications that are compliant with the US Health Insurance Portability and Accountability Act (HIPAA)?
If you are a covered entity according to the HIPAA laws and you want to run a HIPAA compliant website or application, you will need HIPAA compliant hosting to store patient records and information on a cloud storage service.
Protect your company by being informed of the best HIPAA compliant hosting solutions. Read on to learn all about Amazon AWS HIPAA Compliance and other HIPAA compliant hosting solutions.
Becoming HIPAA compliant on Amazon AWS can be quite complicated. If you are looking for a hosting partner which helps you in getting HIPAA compliant, check out our list of reliable HIPAA Compliant Hosting Providers.
What is HIPAA?
First off, let’s make sure you understand what HIPAA is and what it means for hosting to be HIPAA compliant. HIPAA is a law that was passed in 1996 that allows workers to secure health insurance coverage when they change or lose employment.
The law has increased the use of electronic health records, improving the efficiency and quality of the American healthcare system. Provisions are also included to protect the security and privacy of health-related data, such as insurance and billing information, lab results, diagnosis and clinical care data.
HIPAA rules apply to covered entities that handle patients and patient data directly. The covered entities include hospitals, medical service providers, employer-sponsored health plans, research facilities and insurance companies.
HIPAA Compliant Cloud Storage
Since paper records and portable devices (such as hard drives, removable drives, and laptops) are among the most vulnerable sources to breach for private health information, healthcare providers are turning to cloud storage. Cloud computing eliminates the need to store paper files of health information.
Some companies may choose to process healthcare data and information on managed servers while others may choose to use cloud servers. Using the cloud for storing such information requires HIPAA compliant cloud storage.
As covered entities transition from keeping paper files to storing, sharing and transmitting data electronically, standards are being addressed more specifically to account for mobile communications, cloud storage, device synchronizations, electronic signatures and other technological advances. The processes used to keep data private are much more complex and technical for electronic data files than they are for paper files.
For hosting healthcare data, the HIPAA Security Rule provides standards to safeguard against the compromise of identifying health data. Technological safeguards include methods of protecting, storing, disseminating and sharing electronic information across multiple platforms, servers, and devices.
With cloud computing being a relatively new concept for data storage, it is a challenge because it provides easy access to data that can be synchronized across multiple devices. This makes it a challenge for healthcare providers to claim that they are being HIPAA compliant.
HIPAA laws require that all business associates (BAs) of health care providers to sign a Business Associate Agreement, agreeing that they will abide by the rules and standards governing the HIPAA.
Is Amazon AWS HIPAA Compliant?
If your company works closely with customers in the healthcare industry, you are likely looking for web services that allow you to build applications that are HIPAA compliant. While signing an AWS Business Associate Agreement does not certify you as HIPAA compliant, there are ways to ensure that the applications you build through AWS are compliant with HIPAA.
AWS Business Associate Agreement
Let’s break this down. HIPAA laws require your company to enter into a contract with your business associate which, in this case, would be Amazon. This contract is to ensure that this business associate will keep patient health information safe and confidential. The business associate contract also is meant to make clear the disclosures of the protected health information.
A business associate is a person other than a member of the covered entity who performs functions on behalf of a covered entity in which the business associate has access to protected health information. This person is also a subcontractor who creates, receives, maintains or transmits protected health information on behalf of another business associate.
Signing an AWS BAA, however, does not automatically make you HIPAA compliant in the cloud because it is a set of federal regulations.
How to Ensure HIPAA Compliancy When Building Applications with AWS
While signing an AWS BAA does not give you straight-forward HIPAA compliance, services that are covered under the BAA allows you to build applications that address needs in the healthcare space that are HIPAA compliant.
AWS has several HIPAA-eligible services, including Amazon EC2, Amazon S3, Amazon Glacier and Amazon Redshift.
An approach called the Shared Responsibility Model allows you to maintain compliance with HIPAA regulation under your own supervision while using cloud tools. This works as though you are hosting data in your own data center, in which you have the control over which security you choose to implement to protect your content, platform, applications, systems and networks.
Alternate Solutions for Amazon AWS HIPAA Compliance
If you want HIPAA compliant web hosting and cloud storage, there are plenty of alternate companies out there that can offer these services. There are companies that offer outsourced HIPAA hosting without the need to host anything on your own infrastructure.
Many hosting companies offer HIPAA compliant web hosting along with HIPAA compliant email and cloud storage. Some providers only offer HIPAA compliant hosting, for both small businesses and enterprises. All of these providers are capable of running a professional HIPAA compliant website or application.
With this type of arrangement makes, these companies are still seen as a business partner and they need to sign a Business Associate Agreement.
Covered entities should outsource to providers who advertise to be HIPAA compliant cloud storage providers and also those that are willing to provide a signature to a HIPAA required Business Associate Agreement.
Yet, even then, it is your responsibility to engage some method of risk analysis to ensure that the cloud storage provider you choose is compliant with all of the HIPAA requirements.
Violating HIPAA laws can be detrimental to your company. In addition to losing your customers’ trust, your company can face fines up to $250,000 and imprisonment for up to 10 years. Ensure to go with one of our recommended HIPAA compliant hosting service providers to stay above the law.