HIPAA Compliance

By J. Toman / on 10 Nov, 2022

What is AWS?

AWS, or Amazon Web Services, is the world’s largest and most popular cloud platform, offering over 200 fully featured services from data centers in 26 regions around the world. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

AWS empowers healthcare organizations to deliver personalized care options, which have been shown to improve outcomes. Healthcare organizations can now leverage the same customer-centric technologies that used to transform ecommerce to meet changing expectations and reduce friction at every major touchpoint of the healthcare journey.

Is AWS HIPAA Compliant?

The short answer is: it depends on how you use it. AWS provides services that are HIPAA compatible, but they have to be configured and deployed correctly to be HIPAA compliant. HIPAA compliance is more about the correct procedure and process in using the technology than it is about the technology itself. This is where Lillibolero can guide you to the correct solution which protects your patients protected health information.

The process goes something like this:

  • A user interested in deploying AWS services in a HIPAA compliant fashion will first sign a Business Associate Addendum (BAA) with AWS. The BAA is a contract with AWS that ensures AWS provides appropriate safeguards for protected health information (PHI).

  • Typically then a new account will be created exclusively for use with any HIPAA compliant services that store or process PHI. This will be a separate account from the customer’s main account used for general business data storage or processing, websites, email marketing, or the like. Since AWS uses a “pay as you go” model the costs remain the same whether you have one, two, or many accounts. Multiple accounts for an organization are not uncommon in AWS. Billing for these accounts can be per account or aggregated in the main account, which can be a convenient choice for managing your AWS budget.

  • Finally those services required will be configured and deployed in the new HIPAA compliant account, with special care taken to ensure the safety of PHI data and processes, according to AWS security best practices. Once these services are deployed ongoing monitoring and maintenance safeguard the PHI data going forward.

How Can Lillibolero Make Sure That Your HIPAA Account Is Secure?

While no platform can be guaranteed secure and free from risk, AWS provides extensive documentation and deployment guides (see below) describing security best practices on their platform. Using these guidelines, Lillibolero can create a standard reference architecture that follows industry accepted best practices for security in the healthcare industry and which implements cloud services in a HIPAA compatible way.

Lillibolero is a registered member of the Amazon Partner Network and has provided expertise and consulting through the AWS IQ consultant portal for domestic and international clients since its inception.

Contact Lillibolero

AWS white paper Architecting for HIPAA Security and Compliance on Amazon Web Services outlines how customers can use AWS to run sensitive workloads regulated under HIPAA.

AWS white paper Security Pillar: AWS Well-Architected Framework presents best practices for security in the AWS cloud.