Reference Architecture for HIPAA on the AWS Cloud: Quick Start Reference Deployment

Deployment Guide

AWS Envision Engineering, AWS Professional Services, and AWS Quick Start Reference Team

February 2017  (last update: August 2017)

This Quick Start reference deployment guide discusses architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) Cloud. Specifically, this Quick Start deploys a model environment that can help organizations with workloads that fall within the scope of the U.S. Health Insurance Portability and Accountability Act (HIPAA). The Quick Start addresses certain technical requirements in the Privacy, Security, and Breach Notification Rules under the HIPAA Administrative Simplification Regulations (45 C.F.R. Parts 160 and 164). The deployment guide includes links for viewing and launching AWS CloudFormation templates that automate the deployment.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.

IMPORTANT: PLEASE READ

You must have an AWS Business Associate Addendum (BAA) in place, and follow its configuration requirements, before running protected health information (PHI) workloads on AWS. You should not use your AWS account in connection with PHI until you have accepted the AWS BAA and configured your AWS account(s) as required by the AWS BAA. Under HIPAA regulations, covered entities and business associates are responsible for putting in place a business associate agreement between themselves and each of their business associates. You are solely responsible for determining whether you and your organization need a business associate agreement with AWS. If you determine you need a business associate agreement with AWS, you can accept the AWS BAA through a self-service portal in AWS Artifact. It is your responsibility to obtain a BAA from AWS. For more information about the AWS BAA, please visit the AWS HIPAA Compliance webpage.

This Quick Start does not address state-specific laws that may apply to you. This Quick Start only addresses requirements set forth under HIPAA, a U.S. federal law. Many individual states have adopted rules that are different and in some cases, stricter than those that are federally mandated under HIPAA.

This Quick Start will not, by itself, make you HIPAA-compliant. The information contained in this Quick Start package is not exhaustive, and must be reviewed, evaluated, assessed, and approved by you in connection with your organization’s particular security features, tools, and configurations. The security controls reference document included with this Quick Start explains how this Quick Start can be used to help support your compliance with certain requirements under the HIPAA Privacy and Security Rules. However, it is the sole responsibility of you and your organization to determine which HIPAA regulatory requirements are applicable to you, and to ensure that you comply with those applicable requirements. Importantly, most of the requirements under HIPAA are not technical but administrative (that is, people- and process-oriented). Although the security controls reference that is included with this Quick Start lists and discusses both the technical and administrative requirements, this Quick Start cannot help you comply with the non-technical HIPAA requirements.

 

Does HIPAA Apply to Your Organization?

Customers are solely responsible for determining whether HIPAA applies to them, and if so, for complying with their obligations under HIPAA, the AWS BAA, and all other applicable laws, rules, and regulations. AWS does not provide legal or compliance advice. Customers should consult with qualified legal counsel or consultants, as needed, to ensure that their use of AWS complies with HIPAA, the terms of the AWS BAA, and other applicable laws, rules, and regulations.

Quick Links

• If you have an AWS account that already meets the technical requirements for this Quick Start deployment, you can launch the Quick Start to build the architecture shown in Figure 2. The template is launched in the US East (N. Virginia) by default. If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

  The deployment takes approximately 30 minutes. If you’re new to AWS or to configuring architectures for HIPAA workloads on AWS, please read the overview and follow the detailed pre-deployment and deployment steps described in this guide.

  

• If you want to take a look under the covers, you can view the main template that automates this deployment. The main template includes references to child templates, and provides default settings that you can customize by following the instructions in this guide. For descriptions of the templates and guidance for using the nested templates separately, see the Templates Used in this Quick Start section of this guide.

  

• To see how HIPAA regulatory requirements map to Quick Start architecture decisions, components, and configurations, view the security controls reference (Microsoft Excel spreadsheet). The excerpt in Figure 1 provides a sample of the available information.

  

  

  Figure 1: Excerpt from the HIPAA security controls reference

We'd like your feedback

After you deploy this Quick Start, please take a few minutes to fill out our survey. Your response is anonymous and will help us improve this and other compliance-related reference deployments.

About Quick Starts

Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.