HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Amazon Web Services HIPAA Compliant?

If you are a healthcare organization in the United States that is required to comply wit the Health Insurance Portability and Accountability Act (HIPAA) you may be wondering if Amazon Web Services is HIPAA compliant and if the public cloud provider’s platform can be used to store, process, or transmit protected health information (PHI).

Is Amazon Web Services HIPAA Compliant?

Under HIPAA Rules, any provider of a product or service that ‘touches’ PHI is classed as a business associate, which means they must comply with HIPAA Rules and need to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of any PHI that is accessible through their products or services.

Any healthcare entity required to comply with HIPAA must ensure that they obtain a signed business associate agreement from a vendor before their products and services are used in connection with PHI. The business associate provides reasonable assurances that appropriate safeguards are in place and that the business associate is aware of its responsibilities under HIPAA. Covered entities should also assess whether the safeguards meet their standards for protecting PHI.

Amazon Web Services allows HIPAA-covered entities and vendors serving the healthcare industry to use its secure AWS environment to process, maintain, and store protected health information and has signed a business associate agreement with many HIPAA covered entities that covers its products and services. Amazon Web Services supports HIPAA compliance and has ensured its administrative processes, security, and controls are up to the standards demanded by HIPAA.

Please see the HIPAA Journal Privacy Policy

Provided a business associate agreement is obtained, Amazon Web Services is HIPAA compliant and its products and services can be used in connection with PHI. However, it is important to note that while Amazon Web Services supports HIPAA compliance, it is the responsibility of each covered entity to ensure that its products are configured correctly. It is possible to use Amazon Web Services in a manner that is not compliant with HIPAA.

When is Amazon Web Services Not HIPAA Compliant?

It is essential to correctly configure AWS correctly to prevent unauthorized individuals from gaining access to PHI stored in the AWS public cloud. There have been many cases in recent years where Elasticsearch instances and Amazon S3 buckets have been misconfigured and exposed over the internet. In such cases, any data stored in those environments could be accessed by anyone who knows where to look. Scans are regularly performed on search engines such as Shodan to identify unsecured data on AWS.

Comparitech recently conducted a test to see how long it would take for an unsecured Elasticsearch database to be found. The first attempt to access their honeypot came less than 9 hours after it was set up. During the 11-day test, 175 attempts were made to access their data with an average of 18 attacks conducted each day.

Amazon S3 buckets are commonly misconfigured and are set to allow access by ‘authenticated users’. If Amazon S3 bucket access control lists are configured with this setting, read access is granted to anyone.

To protect data, you must ensure that versioning is implemented, you must backup your Elasticsearch instances and  S3 buckets, access controls must be set, PHI must not be publicly accessible, and you should restrict read/write access to individuals who require access to the environment. You should also develop policies and procedures covering use of AWS and ensure full training is provided to your employees on the use of AWS.

Configured correctly, Amazon Web Services is secure and HIPAA compliant, but misconfigurations will result in a data breach and possible data loss.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.