Is AWS HIPAA Compliant?

by

AWS is not independently “HIPAA compliant” for a customer’s workloads, but AWS can support HIPAA compliance when a HIPAA Covered Entity or Business Associate uses HIPAA-eligible AWS services under an executed AWS Business Associate Addendum and configures the environment to meet HIPAA requirements.

HIPAA compliance for systems hosted on AWS depends on the shared responsibility model. AWS is responsible for security of the underlying cloud infrastructure, while the customer is responsible for security in the cloud, including identity and access management, encryption configuration, logging, monitoring, incident response procedures, and workforce access controls.

A HIPAA Covered Entity or Business Associate should limit protected health information to HIPAA-eligible services covered by the AWS Business Associate Addendum and should implement administrative, physical, and technical safeguards that align with the HIPAA Security Rule. The customer also remains responsible for policies and procedures under the HIPAA Privacy Rule, including access controls that support the HIPAA Minimum Necessary Rule, and for breach assessment and notification processes under the HIPAA Breach Notification Rule.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA