Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that is designed to make it easier for US workers to retain health insurance coverage when they change or lose their jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.

Along with increasing the use of electronic medical records, HIPAA includes provisions to protect the security and privacy of protected health information (PHI). PHI includes a very wide set of personally identifiable health and health-related data, including insurance and billing information, diagnosis data, clinical care data, and lab results such as images and test results. The HIPAA rules apply to covered entities, which include hospitals, medical services providers, employer sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. The HIPAA requirement to protect PHI also extends to business associates.

Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the "Administrative Simplification" rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

For more information about how HIPAA and HITECH protect health information, see the Health Information Privacy webpage from the US Department of Health and Human Services.

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) in their own words, "is a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework."

The HITRUST CSF serves to unify security controls from federal law (such as HIPAA and HITECH), state law (such as Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth), and non-governmental frameworks (such as the PCI Security Standards Council) into a single framework that is tailored for healthcare needs.

AWS provides a reliable, scalable, and inexpensive computing platform that can support healthcare customers' applications in a manner consistent with HIPAA, HITECH, and HITRUST CSF.

Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates. The Business Associate Addendum (BAA) is an AWS contract that is required under HIPAA rules to ensure that AWS appropriately safeguards protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by AWS, based on the relationship between AWS and our customers, and the activities or services being performed by AWS.

Yes. AWS has a standard Business Associate Addendum (BAA) we present to customers for signature. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.

To review, accept, and manage the status of the BAA for your account, sign in to AWS Artifact in the AWS Management Console. If you don’t have access to your account, request a free IAM account from your administrator and ask for access to Artifact IAM policies.

There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule.

Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services defined in the Business Associate Addendum (BAA). For the latest list of HIPAA-eligible AWS services, see the HIPAA Eligible Services Reference webpage.

AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control, and administrative processes required under HIPAA. Using these services to store and process PHI allows our customers and AWS to address the HIPAA requirements applicable to our utility-based operating model. AWS prioritizes and adds new eligible services based on customer demand.

For more information about our business associate program, or to request new eligible services, please contact us.

No. This is a very common scenario and many HIPAA solution partners run their Software as a Service (SaaS) offerings in AWS. You as the AWS SaaS partner sign a Business Associate Addendum (BAA) with AWS. Then each healthcare provider or covered entity signs a BAA only with you, the AWS SaaS partner. If the covered entity using your SaaS solutions is also a direct customer of AWS for HIPAA-related systems, then the covered entity may need one BAA with you and another BAA with AWS.

AWS customers and HAQM Partner Network (APN) Partners who have signed a Business Associate Addendum (BAA) with AWS are not required to use HAQM Elastic Compute Cloud (EC2) Dedicated Instances or Dedicated Hosts to process protected health information (PHI). Prior to May 15, 2017, the AWS HIPAA compliance program required that customers who processed PHI using HAQM EC2 must use Dedicated Instances or Dedicated Hosts, but this requirement has been removed.