Companies that handle health data are automatically subject to HIPAA regulations. Attempting to build the technical controls on top of the existing infrastructure is frequently more complicated than a lift-and-shift into a new AWS organization built with compliance in mind. Companies need to architect their infrastructure to meet these standards from the ground up.
To achieve HIPAA compliance on AWS, you will need to follow these steps:
- Review the AWS HIPAA Compliancehttps://aws.amazon.com/compliance/hipaa-compliance/ page to understand the AWS shared responsibility model and the specific AWS services covered by HIPAA.
- Sign a Business Associate Agreement (BAA) with AWS. This contract outlines the responsibilities of both AWS and the customer concerning HIPAA compliance.
- Follow the AWS HIPAA Implementation Guide https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html to configure your AWS environment in a way that is compliant with HIPAA requirements. This includes setting up appropriate access controls, data encryption, and other security measures.
- Conduct regular audits to ensure your AWS environment complies with HIPAA requirements.
- If you are storing or processing electronically protected health information (ePHI) on AWS, you must follow additional requirements, such as implementing access controls and conducting risk assessments.
- Finally, carefully review and follow all applicable laws and regulations related to HIPAA compliance. This includes federal and state laws that may apply to your organization.
HIPAA is not prescriptive on how the technical controls are implemented. Instead, HIPAA defines a set of high-level expectations, but it’s up to the responsible party (e.g. Customer) to assert what controls are in place for each safeguard.
Our AWS reference architecture for terraform has a Foundational Security & Compliance pillar that addresses the implementation of the technical controls for HIPAA compliance. Choose one of our Jumpstart or Enterprise tracks to implement it.
For further details on our implementation, see AWS HIPAA Compliance for Healthcare Companies (Healthtech).