Ensure that all the resources created within your AWS account are HIPAA compliant (i.e. are covered in the HIPAA BAA) in order to be able to run HIPAA-regulated workloads on AWS cloud. Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. HIPAA legislation includes procedures to protect the security and privacy of Protected Health Information (PHI). PHI includes a wide set of personally identifiable health and health-related data, including diagnosis data, clinical care data, lab results such as images and test results, insurance and billing information. The HIPAA security rules apply to covered entities, which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that manage patient data. Any resource provisioned within your AWS account, designated as a HIPAA account, can be used but you can only process, store and transmit Protected Health Information (PHI) using the HIPAA-eligible services and resources covered under the AWS Business Associate Addendum (BAA).
To qualify as a HIPAA compliant resource, an Amazon Web Services resource must meet the HIPAA requirements for auditing, back-ups and disaster recovery, and must include implementation specifications for the protection and encryption of PHI in transit and at rest. For example, Amazon EC2 resources are HIPAA eligible. You can use EC2 instances to store and analyze Protected Health Information (PHI) and build HIPAA compliant applications. Researchers, healthcare providers, hospital administrators and other users can use Amazon EC2 instances to analyze, visualize or process PHI data in compliance with the HIPAA standard. Cloud Conformity strongly recommends that you process, store and transmit Protected Health Information using only HIPAA eligible services and resources, as defined in the AWS BAA:
Amazon Web Services provides all the protections necessary to satisfy the HIPAA security requirements, so you can use AWS cloud services and resources to build applications that store, process and transmit sensitive health-related information, consistent with your organization privacy and security obligations. AWS will also sign a Business Associate Agreement (BAA) with your healthcare organization, which represents a contract that outlines how your company is going to handle the Protected Health Information (PHI), the types of responsibilities that the organization takes on and some of the very specific rules around its obligations with regards to HIPAA standard. All AWS components can be used with a healthcare application, but only services and resources covered by the AWS BAA can be used to store, process and transmit Protected Health Information under HIPAA. That being said, using services and resources that are not included within the AWS BAA will fail to comply with the HIPAA regulations and this can lead to losing the trust of your customers, exposing your healthcare organization to legal actions or get fined for violating HIPAA security rules.