Does Amazon Web Services Comply with HIPAA?

Under the Healthcare Insurance Portability and Accountability Act, all providers of a product or service that ‘touches’ PHI are deemed to be business associates and are required to comply with HIPAA Rules.

That means appropriate safeguards must be implemented to ensure the confidentiality, integrity, and availability of any PHI that is available through their products or services. Any healthcare entity or vendor obligated to comply with HIPAA must ensure that they obtain a signed business associate agreement from their vendors prior to implementing a product or using a service in connection with PHI. The business associate must provide reasonable assurances that the correct security measures are set up and that it is aware of its responsibilities under HIPAA. Covered entities should also assess whether the safeguards meet their standards for keeping PHI safe have been satisfied.

Amazon Web Services allows HIPAA-covered entities and vendors serving the healthcare sector to use its secure AWS environment to process, maintain, and store protected health information. Amazon Web Services will sign a business associate agreement with HIPAA covered entities that covers its products and services. Amazon Web Services supports HIPAA compliance and has seen to it that its administrative processes, security, and controls are up to the standards demanded by HIPAA.

Once a business associate agreement is executed, Amazon Web Services can be considered HIPAA compliant and its products and services can be used in connection with PHI. However, even though Amazon Web Services supports HIPAA compliance, it is the responsibility of each covered entity and user of its services to ensure that its products are configured appropriately as it is possible to use Amazon Web Services in a manner that is not compliant with HIPAA and misconfigurations could easily result in the exposure of PHI.

AWS must be correctly configured to stop unauthorized individuals from obtaining access to PHI stored in the AWS public cloud. There have been many cases in the last few years where Elasticsearch instances and Amazon S3 buckets have been misconfigured and exposed over the internet. In such cases, any data stored in those environments could be accessed by anyone who knows where to look. Scans are constantly completed on search engines such as Shodan to identify unsecured data on AWS.

Comparitech recently completed a review to ascertain how long it would take for an unsecured Elasticsearch database to be identified. The initial attempt to access their honeypot came less than 9 hours after it was set up. During the 11-day test, 175 attempts were made to access their data with an average of 18 attacks carried out every day.

Amazon S3 buckets are often incorrectly set up and are set to allow access by ‘authenticated users’. If Amazon S3 bucket access control lists are set up with this setting, read access is provided to everyone.

To safeguard data, you must ensure that versioning is set up, you must backup your Elasticsearch instances and S3 buckets, and access controls must be configured. PHI must not be publicly accessible, and you should limit read/write access to individuals who require access to the environment. You should also create policies and processes covering use of AWS and ensure full training is provided to your employees on the use of AWS.

When set up correctly, Amazon Web Services is secure and HIPAA compliant, but misconfigurations can easily lead to a data breach, data loss, and a financial penalty for noncompliance with HIPAA.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X