HIPAA Compliance for AWS

What is HIPAA?

The need to keep personal health information (PHI) secure and confidential is essential in the healthcare industry. To help maintain the privacy of PHI, the US government enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The primary objective of this act was to provide workers with the ability to keep their health insurance coverage when they changed or lost their jobs.

The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 expanded HIPAA’s coverage. These acts established national standards for how healthcare organizations and their business associates should handle, share and store PHI.

Although Cloud Service Providers like Amazon Web Services (AWS) are not directly subject to HIPAA and HITECH regulations, they must adhere to stringent federal data-security standards that align with the HIPAA Security Rule. Therefore, organizations can store their PHI on AWS, knowing that it is secured to the highest standard.

HIPAA Security Rule

The scope of the HIPAA Security Rule encompasses health plans, healthcare clearinghouses, and healthcare providers that electronically transmit health information. This rule establishes a comprehensive framework for safeguarding electronic Protected Health Information (e-PHI), consisting of three tiers of protection. These tiers are comprised of administrative, technical, and physical safeguards, each with its own specific set of regulations to ensure the security of e-PHI. By adhering to the HIPAA Security Rule, entities that handle e-PHI can protect sensitive health information and ensure the privacy and security of patients’ data.

Administrative Safeguards

1. Security Management Process – It is imperative for organizations to conduct a thorough assessment of potential risks associated with electronically protected health information (e-PHI) and devise robust security measures to minimize vulnerabilities to a reasonable extent. By doing so, they can ensure the confidentiality, integrity, and availability of e-PHI, thereby safeguarding sensitive information and minimizing the risk of data breaches.
2. Security Personnel – To ensure that electronically protected health information (e-PHI) is safeguarded appropriately, organizations must designate security officials who are responsible for developing and implementing security policies and procedures.
3. Information Access Management – To protect electronically protected health information (e-PHI), organizations must establish and implement policies and procedures for authorizing access to this sensitive information. These policies and procedures are critical for ensuring that only authorized individuals have access to e-PHI and that the confidentiality and integrity of this information are maintained.
4. Workforce Training and Management – To protect electronically protected health information (e-PHI), it is important for organizations to provide all employees or staff who work with e-PHI with training and supervision regarding security policies and procedures. By doing so, organizations can ensure that their employees understand their roles and responsibilities in safeguarding sensitive information and can implement appropriate security measures.
5. Evaluation – Regular evaluations of an organization’s security policies are crucial to ensure compliance with the Security Rule’s stipulations.

Technical Safeguards

6. Access Control – To safeguard electronically protected health information (e-PHI), organizations need to establish technical policies and procedures that restrict e-PHI access solely to authorized personnel.
7. Audit Controls – Organizations are required to deploy procedural, hardware, and/or software mechanisms to capture and analyze access and other related activities within information systems that store or utilize e-PHI.
8. Integrity Controls – In order to prevent unauthorized alterations or destruction of electronically protected health information (e-PHI), organizations must adopt comprehensive policies and procedures to ensure its integrity and security.
9. Transmission Security – To prevent unauthorized access to electronically protected health information (e-PHI) transmitted over an electronic network, organizations need to implement technical security measures. These measures should act as a protective barrier to thwart any potential security breaches that may compromise the confidentiality of e-PHI.

Physical Safeguards

10. Facility Access and Control – Ensuring that authorized access to facilities is permitted while restricting physical access is crucial for organizations. This can be achieved by implementing measures such as ID cards, biometric authentication, and access controls that allow only authorized personnel to enter certain areas. This will help safeguard the confidentiality and security of electronically protected health information (e-PHI) stored within those facilities.
11. Workstation and Device Security – Organizations are required to develop and implement policies and procedures that define appropriate usage and access protocols for workstations and electronic media. Moreover, they must also ensure that electronic media containing electronically protected health information (e-PHI) is safeguarded during transfer, removal, disposal, and reuse. These policies and procedures should clearly outline the necessary steps and measures to ensure the secure handling and disposal of electronic media to prevent unauthorized access or breach of confidential e-PHI.

How can AWS help maintain HIPAA compliance?

AWS adheres to the risk management guidelines established by the Federal Risk and Authorization Management Program (FedRAMP), which is in line with the HIPAA Security Rule. This ensures that AWS is compliant with the rigorous security standards and protocols mandated by these programs, which help safeguard electronically protected health information (e-PHI) stored within their infrastructure.

FedRAMP

Cloud Service Providers (CSPs) that partner with the US government is obligated to provide proof of their compliance with FedRAMP. FedRAMP relies on the National Institute of Standards and Technology (NIST) Special Publication 800 to determine whether a CSP meets its security requirements. These requirements include completing a third-party security assessment to ensure that authorizations are in compliance with the Federal Information Security Management Act (FISMA).

In order to ensure compliance with HIPAA, AWS provides an extensive suite of tools and services that facilitate encryption, auditing, data backup, and disaster recovery. These features are designed to meet the stringent requirements for safeguarding electronically protected health information (e-PHI) as set forth by HIPAA.

Encryption

To comply with the HIPAA Security Rule, protected health information (PHI) must be encrypted both during transmission and storage. The guidance issued by the Secretary of Health and Human Services (HHS) outlines these strict security requirements. AWS provides various products and services, including the Key Management Service (AWS KMS), to assist with the management and encryption of electronically protected health information (e-PHI). These tools are designed to help ensure that e-PHI remains secure, confidential, and in compliance with HIPAA regulations.

Auditing

HIPAA requires that eligible organizations permit independent security analysts to review their activity logs and records that document all access to protected health information (PHI). These records must be stored for extended periods and must be readily accessible during an audit. Amazon Elastic Computer Cloud (EC2) provides a platform for customers to save activity log files and detailed audits on their virtual servers. Customers can also monitor IP traffic and store log files in Amazon Simple Storage Service (S3) for secure and reliable long-term storage. This capability allows customers to easily track and manage access to e-PHI in a manner that is compliant with HIPAA regulations.

Data Backup and Disaster Recovery

HIPAA mandates that organizations maintain and safeguard backup copies of electronically protected health information (e-PHI) in case of an emergency. Amazon Elastic Block Store (EBS) provides persistent storage for Amazon EC2 virtual server instances, enabling customers to store e-PHI data securely. Amazon EBS files can be automatically stored in Amazon S3, where multiple redundant copies of the data are automatically created and stored in separate data centers until intentionally deleted. This means that even in the event of a data center outage or other emergency situation, e-PHI data stored in Amazon S3 remains safe, accessible, and compliant with HIPAA regulations.