HIPAA - AWS Audit Manager


AWS Audit Manager provides a prebuilt framework that supports HIPAA rules to assist you with your audit preparation.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that helps US workers to retain health insurance coverage when they change or lose jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.

Along with increasing the use of electronic medical records, HIPAA includes provisions to protect the security and privacy of protected health information (PHI). PHI includes a very wide set of personally identifiable health and health-related data. This includes insurance and billing information, diagnosis data, clinical care data, and lab results such as images and test results.

The HIPAA rules apply to covered entities. These include hospitals, medical services providers, employer-sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. The HIPAA requirement to protect PHI also extends to business associates.

For more information about how HIPAA and HITECH protect health information, see the Health Information Privacy webpage from the US Department of Health and Human Services.

A growing number of healthcare providers, payers, and IT professionals are using AWS utility-based cloud services to process, store, and transmit protected health information (PHI). AWS enables covered entities and their business associates subject to HIPAA to use the secure AWS environment to process, maintain, and store protected health information.

For instructions on how you can use AWS for the processing and storage of health information, see the Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper.

Use AWS Audit Manager to support your HIPAA audit preparation

AWS Audit Manager provides a prebuilt framework that structures and automates assessments for the HIPAA compliance standard based on AWS best practices. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to HIPAA requirements. You can also customize this framework and its controls to support internal audits with unique requirements.

You can use the HIPAA framework in AWS Audit Manager to prepare for HIPAA audits. The controls in this framework aren't intended to verify whether your systems are compliant with the HIPAA standard. They can neither replace internal efforts nor guarantee that you will pass a HIPAA assessment. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection. Moreover, it doesn't check procedural controls that require manual evidence collection.

You can find the HIPAA framework under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment. For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.