Easy Cloud Solutions

Fully Managed Hosting on AWS + Azure + Google Cloud for Your Enterprise App

  • Home
  • Why Easy Cloud?
  • Services
    • Fully Managed AWS + Azure + Google Cloud Hosting
      • Fully Managed Atlassian Hosting
    • Fully Managed Sage Hosting on AWS
    • Fully Managed Quickbooks Hosting on AWS
    • Infrastructure
      • Cybersecurity & Compliance
      • FedRamp High Baseline Release
      • ITAR Compliance
      • Service-Level Agreement (SLA)
    • General
      • Migration Expertise & Guidance
      • WordPress Managed Hosting
      • DevOps Best Practices
      • Splunk Monitoring
      • HR Outsourcing
      • Healthcare
      • Small Business
      • Non-Profits
    • Everything You Need to Run Your Business
    • Technology Solutions for Education
  • About
    • LA Office / Founder
    • Kingston Office (WA)
    • Our DevOps Engineers
    • Board of Directors
  • News
    • Amazon
      • Amazon Web Services (AWS)
    • Google
      • Google Cloud
      • Official G Suite Reseller
      • G Suite
    • Microsoft
      • Azure
    • Atlassian
      • JIRA
      • Confluence
    • Artificial Intelligence
      • Machine Learning
    • Web
      • NGINX
      • WordPress
    • General News
    • Tech News
    • Portfolio
    • Testimonials
  • Support
  • Contact

March 27, 2018 By ray

Frequently Asked Questions About HIPAA Compliance in the AWS Cloud

Today, we continue a series of AWS cloud compliance FAQs by focusing on the Health Insurance Portability and Accountability Act (HIPAA) and protected health information (PHI). AWS’s Healthcare and Life Science customers are doing important things for their customers in the AWS cloud, and we are excited to work with our partners to help tackle medical advancements at scale.

In this blog post, I will share some of the broader questions we hear from customers about HIPAA compliance and PHI in the cloud.

First off, what is HIPAA?

HIPAA was passed in 1996 and is designed to make it easier for workers to secure health insurance coverage when they change or lose employment. The legislation also has driven the adoption of electronic health records, through information sharing, to improve the efficiency and quality of the American healthcare system.

Along with increasing the use of electronic medical records, the law includes provisions (included in what are known as Administrative Simplification Rules) to protect the security and privacy of PHI. PHI includes health-related data, from insurance and billing information, to lab results and diagnosis and clinical care data. These HIPAA Rules apply to covered entities—such as hospitals, medical services providers, employer-sponsored health plans, research facilities, and insurance companies—that deal directly with patients and patient data. The law and the regulations that implement the law also are extended to business associates of covered entities. AWS customers looking to create, receive, maintain, or transmit PHI should sign an AWS Business Associate Agreement (BAA).

And what is HITECH?

In 2009, HIPAA was expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is Title XIII of the American Recovery and Reinvestment Act. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. These standards affect the use and disclosure of PHI by covered entities and their business associates. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

If you would like to read more about HIPAA and HITECH, see HIPAA Compliance on the AWS Compliance website. You can also go to Health Information Privacy on the U.S. Department of Health and Human Services website.

You mentioned the AWS Business Associate Agreement previously. What is it?

HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard PHI. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. AWS refers to these contracts as the Business Associate Agreement.

A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

After I sign an AWS BAA, am I then HIPAA compliant in the cloud?

Because it is a set of federal regulations, a certification is not available for HIPAA. However, you can maintain compliance with these HIPAA regulations through your own due diligence while using cloud tools. This approach is called the Shared Responsibility Model. In summary, you retain control of what security you choose to implement to protect your content, platform, applications, system, and networks—no differently than if you were hosting data in your own data center.

AWS Shared Responsibility Model

What happens if I fail to comply with HIPAA regulations?

Besides possibly losing the trust of your customers and exposing your organization to legal action, there are criminal and civil penalties that could include, to quote the American Medical Association, “fines of $250,000, and imprisonment for up to ten years.”

I am interested in signing a BAA and meeting my HIPAA obligations while using the cloud. Can you give me some examples of current AWS customers that are complying with HIPAA regulations in the cloud?

The following AWS customers are just some of the customers that comply with HIPAA in the cloud, all while doing innovative work on behalf of patients:

  • Arterys built its imaging solution on AWS to take advantage of graphic-optimized G2 Amazon EC2 instances. Arterys can now render MRI scans in 10 minutes (the industry standard is 90 minutes) while still making sure its platform meets HIPAA compliance requirements.
  • Change Healthcare uses AWS services such as EC2, Amazon Simple Storage Service (S3), Amazon Simple Queue Service (SQS), and Amazon Simple Notification Service (SNS) to handle millions of confidential transactions daily from its clients—all while maintaining full compliance with healthcare industry regulations, including HIPAA.
  • Kit Check helps hospital pharmacies improve operational efficiency, patient safety, and medication visibility by providing automated drug-tracking solutions. They started with EC2 and Amazon Relational Database Service (Amazon RDS) to launch the Kit Check product, and slowly added additional AWS services as their customer base grew to more than 200 hospitals. Kit Check is also using Amazon RDS to manage information about more than 6 million tagged drugs.
  • Orion Health works with AWS Partner Network (APN) Consulting Partner, Logicworks, and uses AWS services to build Cal INDEX, one of the largest health information exchanges in the U.S.
  • Oscar Insurance built its new HIPAA-compliant health insurance platform and analytics solution on AWS in just three months.

What are AWS’s HIPAA Eligible Services?

After you have contacted us and have a signed AWS Business Associate Agreement in place, the services that are shown on HIPAA Eligible Services Reference fall into scope for PHI, as defined by HIPAA.

Filed Under: Amazon Web Services (AWS), Healthcare

Contact Us

1001 N. Monterey St, Unit A, Alhambra, CA 91801

email: sales@easycloudsolutions.com
office: 626-607-4250

RSS
Facebook
Twitter
LinkedIn

Subscribe to Our Newsletter


Links

  • Easy Cloud Solutions Support
  • Easy Cloud Solutions Tech Tips
  • Easy Cloud Confluence
  • Porfolio Snapshot
  • Sign up for Google Cloud / G Suite
  • Write for Us

Our Parent Company

  • Easy Cloud Company: Fully Managed AWS + Azure + Google Cloud Platform Hosting

Our Subsidiaries

  • Easy Cloud: Fully Managed Hosting on AWS
  • Easy Cloud: Code Red Cybersecurity & Compliance Specialists
  • AWS Security Cloud
  • Automate IT

Partners / Affiliates

  • Cloudways
  • WP Engine: Managed Wordpress
  • DigitalOcean: Virtual Private Servers
  • StudioPress Themes for Wordpress
  • WPX Hosting (Wordpress)
  • WP Kraken
  • Social Warfare Plugin

Copyright © 2021 · Powered by Easy Cloud Solutions