AWS HIPAA Compliance Best Practices Checklist

Nowadays, most medical providers across the globe tend to implement cloud-based architecture for their medical services. And it’s not surprising, especially considering today's pandemic reality; medical software is a must. However, to build a highly secure solution to keep protected health information and deliver medical services, you must abide by the US 1996 law, namely the HIPAA Security Rule. This legislation represents a set of required and adequate protections for managing electronic confidential patient information and avoiding its disclosure without prior patient's knowledge and even consent.

So if you want to develop a medical solution and make your health insurance coverage and-care services cloud-based, you must apply the latest technologies to maintain data compliance. To build cloud-based apps according to the Privacy Rule, most healthcare providers apply Amazon Web Services (AWS) due to its increased agility, security, and innovation potential.

Below we’ve prepared best practices and steps to consider when building an AWS medical web app. You can use these tips as your helpful AWS HIPAA checklist to ensure your product meets compliance terms. Keep reading!

Is AWS Cloud HIPAA Compliant?

New AWS users are usually wondering, "Is AWS HIPAA compliant?" Before we go to best practices, let's answer this important and quite complicated question.

To answer briefly, AWS alone doesn't guarantee HIPAA compliance, but it offers services that open the door to HIPAA eligible services. Let's examine what HIPAA eligible AWS services means.

Amazon supports HIPAA compliance (Health Insurance Portability and Accountability Act), and you can utilize its reliable services to create a cloud-based solution that will manage, maintain, and transfer confidential patient information. However, it's not enough simply to use AWS.

The main idea behind AWS HIPAA compliance is to know how to realize it in AWS cloud services, rather than simply using Amazon services. So, as a result, to deal with ePHI in a highly protected way, you should bear in mind the AWS HIPAA security rules and standards and, of course, correctly fit them.

Let's dive deep into the AWS HIPAA compliance best practices and learn a handy checklist that helps you build a medical solution with a high level of stability and protection.

AWS HIPAA Compliance Best Practices

Now let's look more closely at best practices that allow healthcare organizations to meet AWS HIPAA compliance.

#1 Execute a Business Partner Agreement

Before storing or managing any private medical records on AWS, you have to sign and execute an AWS BAA (AWS Business Associate Addendum) with Amazon Web Services to verify that AWS delivers adequate protection of ePHI. BAA means Amazon Web Services share some of your legal obligations and guarantee that you’ll be informed of any data breach.

To put it simply, you take care of the technological and executive protective measures of your platforms, operating systems, apps, and other solutions, for instance, within the AWS management console. As for AWS HIPAA-compliant medical services providers, they are responsible for the security of their database, cloud, networks, and others.

#2 Make patient data safe “at-rest” and while “in-transit"

If you want to protect your stored data, you should remember about encryption of all PHI data “in-transit” and “at-rest.” For this purpose, you can use SSL/TLS standards with very strong terms and policies. Besides, AWS allows developers to encrypt data with ease using AES-256 encryption. HIPAA rules dictate that all patient data is encrypted when “at-rest” and “in-transit,” so don't neglect this point when building a HIPAA-compliant AWS solution.

#3 Adopt required administrative policies according to your organization

If you're going to use Amazon Web Services HIPAA to develop your medical solution, you must realize all required administrative policies and safeguards. Applying administrative policies and procedures according to your organization is an essential part when implementing a HIPAA-eligible compliance solution. Such safety policies represent standard operating procedures (SOPs) that handle emergencies, process protected health information, employee training, risk assessment, service outages, and address HIPAA administrative requirements.

Your team should properly follow these standard operating procedures within the organization. Moreover, you should review your own administrative and technical safeguards, standards and policies periodically and update them according to entity and technology changes.

#4 Remember — only you’re responsible for HIPAA

Despite Amazon AWS HIPAA tools being secure by default, you should always take into consideration the fact that just using Amazon Cloud HIPAA services is not evidence of compliance. So what does it mean?

The point is that compliance isn't just about the services Amazon provides but how good you are at using this compliance with AWS. So, if you misconfigure AWS services, you may run into several difficulties. For example, a misconfiguration can potentially ePHI data vulnerability due to anyone with access to your stored data in a HIPAA account.

While AWS supports HIPAA compliance, it does not mean that your medical solution is free from risk. Your software or cloud service can't be fully HIPAA compliant. In general, compliance is more about the result of using AWS rather than its features. You have to know for sure that you properly understand the AWS HIPAA security requirements for hospitals, covered entities, employer-sponsored health plans, and medical service providers.

When using AWS for HIPAA-compliant solutions, there is some advice to maximize your app’s stability and security and meet HIPAA requirements in AWS:

• Public access disablement;
• Configuration of logical boundaries between overall data and private patients' information;
• Patching schedule;
• Separating the processes related to patients' information from orchestration ones;
• Turning encryption on for Amazon simple storage services such as Amazon RDS and Amazon Redshift.

#5 Use only AWS ‘HIPAA-eligible’ services

Any medical entity should guarantee that they collect, manage, and handle all ePHI in HIPAA-covered services. In the case of Amazon, they've provided a technical white paper that shows in detail how to build a medical solution using Amazon Web Services and reach HIPAA compliance.

This paper lists AWS ‘HIPAA-eligible’ cloud services that could be used with PHI. For example, you can utilize the Amazon Virtual Private Cloud service to get an isolated virtual network. One more web service, Amazon Elastic Compute Cloud (Amazon EC2), ensures reliable computing resources for virtual computers in the cloud.

#6 Keep a log of each user’s activity

Medical providers have to gather security events and audit logs with a view of safety and compliance and health-related data only. Collecting security events and audit logging allows you to have greater visibility and transparency in all actions occurring in your cloud-based services and organization and make informed and data-driven HIPAA-compliant solutions.

Under the HIPAA rules, medical entities should know who accessed patients' health information and modified it. After all occurring changes, it's vital to have the opportunity to check that modifications were right, and that the report is still relevant and up-to-date. Realization of audit logging and tracking controls is a must since, in case of a breach, you can generate reports with all logged transactions without difficulty in your AWS account.

Below we take a look at some of the AWS access logging that you need to gather to ensure AWS HIPAA compliance program:

• AWS Access Logs — to collect individual AWS access for specific cloud services;
• AWS CloudTrail — to monitor user activity and API usage across the cloud environment;
• Cloud Compliance Logs — to control activities regarding safety configuration and detect any compliance and cloud security concerns;
• Amazon Simple Notification service - to store, analyze and transmit protected health information (PHI);
• Amazon Elastic Container Service - to store, deploy and manage personally identifiable health container images;
• Availability with CloudWatch Logs — to monitor the overall availability of cloud services.

#7 Take care of the backup process and disaster recovery implementation

Every healthcare provider must have an emergency plan in case of a disaster. To avoid any leak of private patients’ records and protect all collected, stored, and used ePHI data, you must ensure backed-up and disaster recovery implementation. Fortunately, Amazon Web Services provides an opportunity to execute your backups.

To manage your backups of data safely and securely, healthcare organizations can use such reliable services as Amazon S3 and Glacier. With AWS services, you can easily ensure that your backup and recovery processes are configured properly. Note: disaster recovery and data backup if you want to meet HIPAA-eligible services on AWS.

#8 Don't forget to implement the authentication process

If you want to control and manage the actions users take in your app, you should take care of a reliable and secure authentication process and privacy of protected health information.

For example, you can use a trustworthy open standard like OAuth to provide a third party with limited access to protected resources. Or there is an open standard SAML for exchanging authentication and authorization data between an identity provider and a service provider such as AWS service. Also, you can try a technology solution like Identity and Access Management to securely manage the credentials of your users and control access to protected health information from various applications and systems.

AWS HIPAA compliance checklist: Our Experience

TechMagic is a software product development company that specializes in building fully-serverless or partially serverless architecture for your product. Since 2017, we have been a certified AWS Consulting Partner. To ensure scalable, cost-efficient infrastructure setup, we apply such AWS services as AWS Lambda, API Gateway, AWS DynamoDB, and AWS Step Functions.

Why use Serverless on AWS? Here are some of the great reasons:

• Cost-effective model. In case your product is not being used, you don't need to pay for the idle time. Your app just shuts down.
• Flexibility. Amazon Web Services allows you to choose the programming language, operating system, platform, and other specific services you require. This opportunity makes the app migration process easier.
• Scalability and high performance. If your product needs scalability, AWS Cloud can do it automatically.
• Reliability and security. AWS takes a holistic approach to protecting and strengthening infrastructure involving operating, and physical measures.

Besides, we’re proud to have hands-on knowledge of the healthcare industry and expertise in providing healthcare software development services.

Final thoughts

The number of healthcare providers who use AWS HIPAA-eligible services to guarantee a high healthcare service security level is growing every day. AWS has proved itself to be a cloud service provider that is aligning itself with the HIPAA regulations, and they guarantee that protected health information PHI can be stored and processed without errors or any possible concerns.

AWS cloud, without a doubt, facilitates building a consistent and solid cloud environment. But, even so, healthcare organizations must be confident in configuring AWS services accurately to accomplish all necessary security measures when building a medical solution on AWS.

To meet AWS HIPAA regulations and obtain a high level of security, you should apply the above-mentioned best practices and HIPAA requirements.

Are you looking for a tech partner to build a HIPAA-compliant AWS solution? Contact us and transform the idea into reality!

FAQ

1. What are some key elements of the AWS HIPAA compliance checklist?

   AWS offers a comprehensive HIPAA compliance checklist to help healthcare organizations meet regulatory requirements. Key elements include implementing access controls, encryption mechanisms, auditing and monitoring systems, data backup and recovery procedures, and proper training for staff handling protected health information (PHI).

2. Does AWS provide HIPAA-compliant services?

   Yes, AWS provides a range of services compliant with the Health Insurance Portability and Accountability Act (HIPAA). These services have undergone extensive evaluations and certifications to ensure they meet the necessary security and privacy standards required for handling PHI.

3. How can I ensure HIPAA compliance on AWS?

   To ensure HIPAA compliance on AWS, you should follow the guidelines provided in the HIPAA rules. HIPAA eligible services include configuring your AWS resources according to, enabling security features such as encryption and access controls, and implementing logging and monitoring to track and respond to any potential security incidents.

4. Does AWS sign a Business Associate Agreement (BAA) for HIPAA compliance?

   Yes, AWS does sign a BAA with eligible customers. The BAA is a crucial document that outlines the responsibilities and obligations of AWS as a business associate, and the healthcare organization as a covered entity under HIPAA.

5. Can I use AWS for processing Electronic Health Records (EHR)?

   Yes, AWS provides services suitable for processing electronic health records (EHR). However, it's essential to ensure that the specific AWS services you choose to use for EHR processing are included in the list of HIPAA-compliant services.