Architecting HIPAA Compliant Solutions with AWS HIPAA Eligible Services

Architecting HIPAA Compliant Solutions with AWS HIPAA Eligible Services

What Are AWS HIPAA Eligible Services?

Security and compliance in Amazon Web Services (AWS) follows a Shared Responsibility Model. This means that security responsibilities are split between the Cloud Platform and the Client. For healthcare organizations and companies dealing with HIPAA regulations, the AWS  dictates how customers must utilize AWS to maintain HIPAA compliant workloads.

In order to fulfill your responsibilities under the BAA, and maintain HIPAA compliance in the cloud, Amazon provides a list of AWS services that are considered “HIPAA eligible”. Organizations must configure administrative and technical safeguards alongside exclusively using these services, to use Amazon services with protected health information (PHI).

HIPAA Eligible Services From Amazon Web Services

AWS provides a list of HIPAA eligible services, which currently includes the following services:

Last Updated: November 11, 2020

  • Alexa for Business (for healthcare skills only – requires Alexa Skills BAA)
  • AWS Amplify Console
  • Amazon API Gateway
  • Amazon AppStream 2.0
  • AWS AppSync
  • AWS App Mesh
  • Amazon Athena
  • Amazon Augmented AI (Amazon A2I)
  • Amazon Aurora [MySQL, PostgreSQL]
  • AWS Backup
  • AWS Batch
  • AWS Certificate Manager
  • Amazon Chime
  • Amazon Cloud Directory
  • AWS Cloud Map
  • AWS CloudEndure [including CloudEndure Disaster Recovery and CloudEndure Migration]
  • AWS CloudFormation
  • Amazon CloudFront [including [email protected]]
  • AWS CloudHSM
  • AWS CloudTrail
  • Amazon CloudWatch
  • Amazon CloudWatch Events [including Amazon EventBridge]
  • Amazon CloudWatch Logs
  • Amazon CloudWatch SDK Metrics
  • AWS CodeBuild
  • AWS CodeCommit
  • AWS CodeDeploy
  • AWS CodePipeline
  • Amazon Cognito
  • Amazon Comprehend
  • Amazon Comprehend Medical
  • AWS Config
  • Amazon Connect
  • AWS Control Tower
  • AWS Data Exchange
  • AWS Database Migration Service
  • AWS DataSync
  • AWS Direct Connect
  • AWS Directory Services [excluding Simple AD and AD Connector]
  • Amazon DocumentDB (with MongoDB compatibility)
  • Amazon DynamoDB
  • Amazon EC2 Auto Scaling
  • Amazon ElastiCache (Redis)
  • Amazon Elasticsearch Service
  • AWS Elastic Beanstalk
  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Amazon Elastic Container Registry (ECR)
  • Amazon Elastic Container Service (ECS) [both Fargate and EC2 launch types]
  • Amazon Elastic Container Service for Kubernetes
  • Amazon Elastic File System
  • Elastic Load Balancing
  • Amazon Elastic MapReduce (Amazon EMR)
  • AWS Elemental MediaConnect
  • AWS Elemental MediaConvert
  • AWS Elemental MediaLive
  • AWS Firewall Manager
  • Amazon Forecast
  • Amazon FreeRTOS
  • Amazon FSx
  • Amazon Glacier
  • AWS Global Accelerator
  • AWS Glue (including AWS Lake Formation)
  • AWS Greengrass
  • Amazon GuardDuty
  • Amazon Inspector
  • AWS IoT Core
  • AWS IoT Device Management
  • AWS IoT Events
  • Amazon Kendra
  • AWS Key Management Service
  • Amazon Kinesis Analytics
  • Amazon Kinesis Data Streams
  • Amazon Kinesis Firehose
  • Amazon Kinesis Video Streams
  • AWS Lambda
  • Amazon Lex
  • Amazon Macie
  • AWS Managed Services
  • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
  • Amazon MQ
  • Amazon Neptune
  • AWS OpsWorks for Chef Automate
  • AWS OpsWorks for Puppet Enterprise
  • AWS OpsWorks Stacks
  • AWS Organizations
  • AWS Outposts
  • Amazon Personalize
  • Amazon Pinpoint [excluding Voice Message capabilities]
  • Amazon Polly
  • Amazon Quantum Ledger Database (QLDB)
  • Amazon QuickSight
  • Amazon Rekognition
  • Amazon Redshift
  • Amazon Relational Database Service (Amazon RDS) [SQL Server, MySQL, Oracle, PostgreSQL, and MariaDB engines only]
  • AWS RoboMaker
  • Amazon Route 53
  • Amazon SageMaker [excluding Public Workforce and Vendor Workforce]
  • AWS Secrets Manager
  • AWS Security Hub
  • AWS Service Catalog
  • AWS Serverless Application Repository
  • AWS Server Migration Service
  • AWS Shield [Standard and Advanced]
  • Amazon Simple Email Service (Amazon SES)
  • Amazon Simple Notification Service (SNS)
  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Storage Service (Amazon S3) [including S3 Transfer Acceleration]
  • Amazon Simple Workflow
  • AWS Snowball
  • AWS Snowball Edge
  • AWS Snowmobile
  • AWS Step Functions
  • AWS Storage Gateway
  • AWS Systems Manager (previously Amazon EC2 Systems Manager)
  • Amazon Textract
  • Amazon Transcribe
  • AWS Transfer for SFTP
  • Amazon Translate
  • Amazon Virtual Private Cloud (VPC)
  • AWS VM Import/Export
  • AWS Web Application Firewall (WAF)
  • Amazon WorkDocs
  • Amazon WorkLink
  • Amazon WorkSpaces
  • AWS X-Ray

NOTE: If you are a Covered Entity or Business Associate as defined by the Health Insurance Portability and Accountability Act of 1996 (as amended, “HIPAA”), you agree not to use these HIPAA Eligible Services for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) without first entering into an AWS business associate agreement.

Can I Use AWS Services That Are Not HIPAA Eligible?

AWS services that are not listed under the HIPAA eligible services list may not be used to store, process, or transmit any protected health information (PHI).

With that said, there are many AWS services that can be effectively utilized without PHI. Here are some examples of where non-HIPAA eligible services may be used in healthcare settings:

  1. Your organization may host your marketing website that does not use PHI on non-HIPAA eligible services.
  2. Your organization may use non-HIPAA eligible services for continuous integration/deployment processes that do not involve PHI.
  3. Your organization may host/deploy non PHI services such as self-hosted CRM products, Productivity tools, etc in non-compliant services.
Architecting HIPAA Compliant Applications

It is possible to use HIPAA compliant services and still not be HIPAA compliant. Under Amazon’s Shared Responsibility Model, organization’s must manage administrative and technical safeguards in order to maintain HIPAA compliance in AWS. This means that besides utilizing AWS HIPAA eligible services, clients must define HIPAA administrative policies and implement appropriate technical controls. Dash continuous compliance monitoring allows teams to setup policy and technical controls, remediate compliance issues and continually monitor and access their Security Plan in Amazon Web Services.

Ready to learn more about HIPAA compliance and the cloud? Download our guide to “Managing HIPAA in AWS”.