Is AWS HIPAA Compliant?
If you are a company that operates in the healthcare industry to some extent, you are probably aware that every action you take is required to comply with the Health Insurance Portability and Accountability Act, or HIPAA. However, there is often confusion as to what that compliance looks like when working with other software-as-a-service companies. Healthcare organizations need to be careful to choose providers that are guaranteed to operate under the full provisions in compliance of HIPAA.
Luckily, AWS is one of the providers that you can trust to operate in a compliant manner, once certain steps are completed. We’ll break this all down below!
What is AWS?
AWS, or Amazon Web Services is the cloud platform operated under the parent company of Amazon, which offers cloud computing for businesses of all sizes and industries. As the leading provider of cloud services, AWS controls more than a third of the total cloud market, which is about twice the market share of their next closest competitor.
Amazon Web Services is not one individual product or software but rather is made up of lots of cloud computing products and services that are aimed to fit the needs of every organization through different combinations. Although there are over 100 total products, the three key ones are S3, their storage service, Glacier, a low-cost cloud storage service and EC2 which is their virtual machine service. The solutions that AWS offers are commonly found to be a great fit for healthcare organizations of all sizes, but they must still guarantee that HIPAA compliance is reached through this partnership.
Amazon Web Services and HIPAA Compliance
Is AWS HIPAA Compliant?
On the whole, AWS is HIPAA compliant and can be trusted as a cloud-based system that can handle Protected Health Information (PHI) with privacy and security. This means that they have agreed to comply with the HIPAA rules and regulations to ensure that the individually identifiable health information PHI that is processed through their software is kept entirely secure.
One thing that is important to remember about HIPAA compliance when working with other organizations that will have access to that protected health information is that there should always be shared responsibility by both parties. AWS is absolutely responsible for complying with HIPAA on their end and creating a service that is secure for PHI, but you are equally responsible for your compliance and any breach that occurs due to a fault of your own. This mutual liability model is made official through signing a Business Associate Agreement (BAA) with AWS and any other company that you may choose to partner with as a HIPAA covered entity or business associate.
Signing a BAA with AWS
Luckily, Amazon does sign Business Associate Agreements with all the healthcare organizations that use AWS. That agreement states that Amazon will comply with the security measures and administrative processes required by HIPAA. In order to show their dedication to security and compliance, Amazon released a 61-page document in August of 2020 that details the ways to configure all of their services of AWS for HIPAA compliance and maximum security.
In short, AWS is liable for the security of their networks, both physically and electronically while you as an organization that holds or maintains PHI are responsible for keeping your apps and operating systems equally protected.
Costs & Specs of AWS
As is often true with software-as-a-service companies, a clear pricing structure varies with each specific organization and the products are specific fit their needs. We do know that AWS has their costs organized in a pay-as-you-go format which makes it possible to change & adapt the pricing and policies to fit your organization’s needs through any growths or changes. This format is great so that companies pay for what they use without the need to estimate usage for the future - but rather to have that payment scaled automatically.
AWS also offers a free-tier option that serves as a form of a demo for customers that are interested in the product. This introductory tier is given to all sign-ups and remains valid for 12-months from the account creation.
AWS is Compliant..now what?
A common misconception for organizations that need to comply with HIPAA, is that they have reached full compliance after only a couple steps. Yes, it is important that you do everything needed to ensure that your AWS usage complies with HIPAA and protects that important health information in your cloud storage. However, HIPAA compliance is a complicated and multi-step process that companies must follow through to the very end in order to be safe from a breach or audit.
Just because you have ensured that your AWS usage is compliant or just because your employees are trained yearly, does not mean that your entire organization is HIPAA compliant. If you are unsure of whether you meet the compliance standards, feel free to utilize our free risk assessment in order to determine potential spots of weakness in your organization’s compliance.