HIPAA, PHI and AWS: A Primer

Editor’s note: Datapipe was acquired by Rackspace in 2017.

Compliance is a concern for any company moving to the cloud – it’s especially crucial for those in the healthcare industry. That’s why the Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI) have a number of guidelines to ensure sensitive information is remaining secure and protected.

Before we dive into some of the more common questions around compliance, let’s first define what HIPAA is. The act was passed 20 years ago as a way to make it easier for workers to secure health insurance coverage anytime they switch places of employment, or lose their current position. It’s also sped along the use of electronic health records to improve the efficiency and overall quality of the American healthcare system. In 2009, HIPAA was expanded via the Health Information Technology for Economic and Clinical Health (HITECH) Act, or Title XIII of the American Recovery and Reinvestment Act. Together, HIPAA and HITECH create a set of federal standards that protect the security and privacy of PHI.

For enterprises that create, receive, maintain, or transmit PHI using AWS, a Business Associate Agreement (BAA) must be signed. HIPAA Rules typically require that covered entities and business associates enter into contracts with their business associates to ensure all PHI will be properly safeguarded. These contracts are what AWS refers to as the Business Associate Agreement.

To meet AWS’s BAA requirements, all PHI processed, stored in or transferred by Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon EMR, Amazon Glacier, Amazon Redshift, Amazon RDS, Amazon S3 or ELB must be encrypted, both at rest and in transit. While AWS offers other services, these are the only ones that meet the HIPAA requirements applicable to their operating model. An enterprise may use any AWS service within an account, but PHI may only be processed, stored, or transmitted on eligible services. If a BAA is in place, AWS will notify an enterprise of any security breach that exposes PHI; however, because AWS doesn’t access a company’s data, unless that BAA has been signed, a breach will likely go undetected.

Simply signing this contract does not make a business HIPAA compliant in the cloud. To maintain compliance, a business must apply its own due diligence while using cloud tools, an approach known as the Shared Responsibility Model. At its core, this approach allows a business to control what security it implements to protect content, applications, system, platform, and networks. And compliance is not just a one and done task—constant monitoring and adjusting must occur as needed. AWS users can take advantage of simple logging and auditing architectures to ensure all compliance requirements are being met. This topic was covered in more detail during last year’s AWS re:Invent conference, and is a must watch for those needing to log and audit their company’s instances.

According to the American Medical Association, failure to remain HIPAA compliant comes with steep penalties, including fines of up to $250,000 and up to ten years in prison. It’s worth the time and energy to educate yourself on HIPAA if your business falls under its scope. Learn more about other frequently asked questions on Amazon’s security blog, or check out our HIPAA compliance page for more information on setting up security controls, logging, monitoring, and other ways an MSP can assist.

David Lucky is a Product Marketing leader at Rackspace for the Managed Public Cloud services group, a global business unit focused on delivering end-to-end digital transformation services on AWS, Azure, GCP and Alibaba. David came to Rackspace from Datapipe where as Director of Product Management for six years he led product development in building services to help enterprise clients leverage managed IT services to solve complex business challenges. David has unique insight into the latest product developments for private, public and hybrid cloud platforms and a keen understanding of industry trends and their impact on business development. He holds an engineering degree from Lehigh University and is based out of Jersey City, NJ. You can follow David on LinkedIn at linkedin.com/in/davidlucky and Twitter @Luckys_Blog.