Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to “covered entities” and “business associates.” HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA and HITECH establish a set of federal standards intended to protect the security and
privacy of PHI. HIPAA and HITECH impose requirements related to the use and disclosure of
protected health information (PHI), appropriate safeguards to protect PHI, individual rights,
and administrative responsibilities. For more information on HIPAA and HITECH, go to the
Health Information Privacy Home
Covered entities and their business associates can use the secure,
scalable, low-cost IT components provided by Amazon Web Services
(AWS) to architect applications in alignment with HIPAA and HITECH
compliance requirements. AWS offers a commercial-off-the-shelf
infrastructure platform with industry-recognized certifications and
audits such as
ISO
27001
AWS enables covered entities and their business associates subject
to HIPAA to securely process, store, and transmit PHI. Additionally,
as of July 2013, AWS offers a standardized Business Associate
Addendum (BAA) for such customers. Customers who execute an AWS BAA
may use any AWS service in an account designated as a HIPAA Account,
but they may only process, store and transmit PHI using the
HIPAA-eligible services defined in the AWS BAA. For a complete list
of these services, see the
HIPAA
Eligible Services Reference
AWS maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically support HIPAA administrative, technical, and physical safeguards. Using these services to store, process, and transmit PHI helps our customers and AWS to address the HIPAA requirements applicable to the AWS utility-based operating model.
AWS’s BAA requires customers to encrypt PHI stored in or transmitted using HIPAA-eligible
services in accordance with guidance from the Secretary of Health and Human Services (HHS):
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals
AWS offers a comprehensive set of features and services to make key management and encryption of PHI easy to manage and simpler to audit, including the AWS Key Management Service (AWS KMS). Customers with HIPAA compliance requirements have a great deal of flexibility in how they meet encryption requirements for PHI.
When determining how to implement encryption, customers can evaluate and take advantage of the encryption features native to the HIPAA-eligible services. Or customers can satisfy the encryption requirements through other means consistent with the guidance from HHS.