The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The legislation was designed to make it easier for workers to retain health insurance coverage when they change or lose their jobs. The legislation also sought to drive the adoption of electronic health records to improve the efficiency and quality of the American healthcare system through improved information sharing.

Along with increasing the use of electronic medical records, the law included provisions to protect the security and privacy of Protected Health Information (PHI). PHI includes a very wide set of personally identifiable health- and health-related data, from insurance and billing information, to diagnosis data, clinical care data, and lab results such as images and test results. The rules apply to "Covered Entities", which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that deal directly with patients and patient data. The law and regulations also extend the requirement to protect PHI to "Business Associates".

HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act in 2009. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the "Administrative Simplification" rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on how HIPAA and HITECH protect health information, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

The Health Information Trust Alliance, or HITRUST Common Security Framework (CSF) in their own words, "is a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework."

The HITRUST CSF serves to unify security controls from federal law, such as HIPAA/HITECH, state law, such as Massachusetts, and non-governmental frameworks, like COBIT and PCI-DSS into a single framework that is tailored for healthcare needs and use.

AWS provides a reliable, scalable, and inexpensive computing platform that can support healthcare customers' applications in a manner consistent with HIPAA, HITECH, and HITRUST CSF. As an example, one of our customers has created an environment within AWS that has been successfully audited for HIPAA/HITECH compliance, as well as HITRUST certified.

Under the Health Insurance Portability and Accountability Act (HIPAA), a "business associate" is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity and isn’t employed by the covered entity. A "business associate" also includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate – under the HIPAA regulations, Cloud Service Providers like AWS are considered business associates. The HIPAA Rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. AWS refers to these contracts as Business Associate Addendums.

Yes. AWS has a standard Business Associate Addendum we will present to customers for signature. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.

You can use AWS Artifact to review, accept, and manage the status of your Business Associate Addendum (BAA) for your account.

There is no HIPAA certification for a cloud provider such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA security rule. NIST supports this alignment and has issued SP 800-66, "An Introductory Resource Guide for Implementing the HIPAA Security Rule," which documents how NIST 800-53 aligns to the HIPAA Security rule.

Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store and transmit PHI in the HIPAA-eligible services defined in the BAA. The HIPAA Eligible Services Reference page has the latest list of HIPAA-eligible services. 

AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control, and administrative processes required under HIPAA. Using these services to store and process PHI allows our customers and AWS to address the HIPAA requirements applicable to our utility-based operating model. AWS prioritizes and adds new eligible services based on customer demand.

For more information about our business associate program, or to request new eligible services, please contact us.

No. This is a very common scenario and there are a number of innovative HIPAA solution partners running their SaaS offerings in AWS. In this case, each healthcare provider or covered entity would establish a BAA only with the SaaS partner, and the SaaS partner would establish a BAA with AWS. If the covered entity using the SaaS partner is also a direct customer of AWS for HIPAA-related systems, then the covered entity may need one BAA with the SaaS partner and another BAA with AWS.

Effective May 15, 2017, AWS customers and APN Partners who have signed a Business Associate Addendum (BAA) with AWS will no longer be required to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI). Previously, the AWS HIPAA compliance program required that customers that processed Protected Health Information (PHI) using Amazon EC2 must use Dedicated Instances or Dedicated Hosts. This requirement has been removed.