HIPAA Compliance On AWS

What is AWS?

Amazon Web Services is a market-leading public cloud provider with hundreds of thousands of clients. AWS provides organizations with a wide assortment of services from virtual machines, data storage, and hosted databases as well as container services, artificial intelligence, and big data services. Rather than hosting on-premise infrastructure organizations can leverage AWS services on-demand and only pay for the services they use. AWS makes it easy for healthcare organizations, startups, and companies to build using any technology, manage infrastructure and scale up services as needed.

Organizations from regulated industries including the financial and healthcare sectors have been turning to AWS to build, manage, and scale applications that comply with regulatory standards.

HIPAA Compliance On Amazon Web Services

As an established cloud provider, AWS has developed robust security standards.
Amazon Web Services (AWS) has a number of security programs and certifications that organizations may leverage to jumpstart security and regulatory compliance efforts.

Cloud customers inherit AWS security certifications and are able to avoid managing many HIPAA physical safeguard requirements by using AWS. The flexibility and scaling power of AWS makes the cloud provider an attractive platform for handling HIPAA compliant workloads.

Is AWS HIPAA Compliant?

No single solution is automatically HIPAA compliant, that said Amazon Web Services, may be used in a HIPAA compliant manner. AWS offers a business associates agreement (BAA) which outlines how services can be configured in a HIPAA compliant manner. This BAA outlines how HIPAA administrative, technical, and physical controls are addressed, and which parties are responsible.

It is important to note that it is possible to use AWS and HIPAA compliant services and not be in compliance with HIPAA. It is the end user’s responsibility to ensure their organization is maintaining HIPAA compliant standards. You can read more about best practices for designing compliant solutions in our recent guide, Planning and Architecting for HIPAA Compliance.

Dash Compliance Automation and AWS

AWS is a public cloud platform. The Dash Compliance Automation Platform is a solution deployed alongside your AWS cloud account that enables organizations to easily configure, monitor, and maintain HIPAA compliance in the cloud. Dash provides organizations with custom administrative policies and ties these policies to technical controls and technical controls. Through Dash Continuous Compliance Monitoring, we make it easy to monitor HIPAA compliance and execute on your cloud security plan.

With Dash, healthcare organizations can leverage the scaling power of AWS and utilize all 100+ AWS cloud services to build HIPAA compliant solutions.

The AWS Shared Responsibility Model

Most public cloud providers including Amazon Web Services follow a Shared Responsibility Model. Under this security model, security and compliance are a shared responsibility between AWS and the cloud customer. This means that organizations using with ePHI have certain responsibilities they must follow in order to maintain HIPAA compliance.

In terms of HIPAA, AWS assumes a majority of responsibilities for physical safeguards. AWS provides protections such as physical server security, employee access to systems, and building and keycard access.

On the other side, the cloud customer is responsible for a majority of HIPAA administrative safeguards and technical safeguards. AWS cloud customers must have a set of established administrative policies that designate a security and privacy officer, set standard operating procedures, and define security plans.

Cloud customers must also implement technical controls required under HIPAA including – backup and disaster recovery (DR), audit logging, intrusion detection systems (IDS), and firewall configuration. There are a number of ways for organizations to implement these safeguards and controls, but it is still up to the security team to implement them.

aws shared responsibility model

AWS HIPAA Eligible Services

Under the AWS BAA, healthcare organizations may only store, process, and transmit protected health information (PHI) in AWS services listed on the “AWS HIPAA Eligible Services List”. These are AWS cloud services that Amazon has validated that comply with the former BAA. Healthcare organizations, startups, and companies must only utilize these listed services with patient data.

Healthcare organizations and startups may use AWS services not listed on the “HIPAA Eligible Services List” as long as they do not use PHI with these services. This means that teams can utilize configuration management tools and other services that do not come in contact with patient data.

Utilizing HIPAA eligible services, does not instantly make your organization or your application HIPAA compliant. Teams must manage specific security configuration described in the next section.

Configuring AWS Services For HIPAA Compliance

Organizations must setup technical controls and safeguards for each AWS cloud service they use in order to stay in compliance with HIPAA. This means implementing at audit logging, system access, and backup and disaster recovery for each individual AWS service.

Misconfigurations of AWS cloud services can lead to security breaches and potential HIPAA violations, so it is important that teams continue to follow best security practices and monitor cloud services.

For Example:

Leaving an AWS S3 bucket with protected health information open to the public can easily turn into a HIPAA violation.

Opening all ports to EC2 instances (VMs) can leave organizations at high risk of a security breach and HIPAA violation.

To guard against poor security and compliance practices, organizations must have a security plan and standard operating procedures for managing cloud compliance and handling any compliance concerns before they can escalate into violations.

Building HIPAA Compliant Solutions On AWS + Dash

Healthcare organizations used to turn to expensive private cloud solutions or consultants for building and managing HIPAA compliant solutions. The Dash Compliance Automation Platform unlocks AWS and the public cloud for use in healthcare. Dash works in coordination with the AWS’ BAA to streamline the compliance process for healthcare organizations, vendors, and startups.

As an AWS Advanced Technical Partner, Dash empowers teams to take advantage of the scaling power and flexibility of Amazon Web Services, while avoiding the overhead of developing a security plan from scratch. Dash creates custom administrative policies and controls, connects these policies to technical controls, and scans and monitors your cloud environment for security and compliance issues. Talk to Dash about Automating HIPAA Compliance in AWS.


dash complyops hipaa

See how Dash ComplyOps streamlines HIPAA management in AWS.
Configure, monitor, and maintain administrative and technical controls in the cloud.