HIPAA and Amazon AWS

HIPAA -and-Amazon-AWS

What is HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is U.S. law which protects the privacy of individually identifiable health information. In particular, standards are set for the security of electronic protected health information (PHI). The Office for Civil Rights under the U.S. Department of health & Human Resources enforces federal civil rights laws and HIPAA to protect patient privacy.

HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act, (HITECH), in 2009. Thus, the relevant literature often refers to both HIPAA and HITECH.

What is PHI

Here’s the definition of PHI: Individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records. Here are the 18 forms of PHI.

  • Names
  • Geographic identifiers smaller than a state in which populates are less than 20,000
  • Birthdate
  • Date of death
  • Admission date
  • Discharge date
  • Visit date
  • Operation date
  • Phone number
  • Fax number
  • Email addresses
  • Social Security numbers
  • Medical record numbers (any hospital assigned unique identifier)
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Uniform Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger, retinal and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Covered Entities and Business Associates

These parties and any contractor or associates that assist in handling PHI (such as Amazon Web Services) must observe HIPAA requirements.

Health Care Providers Health Plans Healthcare Clearinghouses
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Health Insurance companies
  • HMOs
  • Company health plans
  • Government programs such as Medicare, Medicaid and Veterans Affairs.
  • Processors of health information


Amazon Web Services (AWS) and HIPAA

Through its full and robust offering, AWS supports its customers’ HIPAA compliance needs for the storage and transmission of PHI. In fact, AWS makes it easy for covered entities to comply with HIPAA when dealing with electronic PHI.

Storage Location Covered Entities must know where their PHI resides and ensure that PHI resides in the U.S. AWS allows its customers to choose the region where their data resides.

Access Control AWS allows customers to create roles and users with varying levels of access. This can easily be done through the AWS Identity and Access Management (IAM) web-based console. Customers can then set permissions at every object level. For example, in S3, access can be restricted at the patient record or file level. Thus, through AWS, covered entities can ensure that only allowed health professional have access to PHI.

Logging, Auditing, and Back-Ups In HIPAA, covered entities must be able to see who had access to PHI and what was accessed. This requires logging and auditing which can be accomplished on Amazon EC2 down to the packet layer. In addition S3 runs a default log of transactions. In addition, AWS’s level of redundant storage coupled with its robust back-up and restore offerings for databases and storage allow covered entities to comply with HIPAA’s strict requirements for the availability and durability of PHI.

Encryption In-Transit On AWS, SSL can easily be employed to ensure that PHI is encrypted when traveling over the internet.

Encryption At-Rest HIPAA requires PHI to be encrypted while in storage. This means that entities without the proper permission, even if they should gain access to the data, would find encrypted (garbled and meaningless) data. Covered Entities employing Amazon S3 to store PHI have the following options.

  • No Server-Side-Encryption: Customers encrypt the data locally and then upload it (using SSL) to Amazon.
  • Amazon-Managed Server-Side-Encryption: Customers upload it securely (using SSL) to Amazon and have Amazon encrypt it using Amazon’s encryption key. This option is the easiest. One can default entire buckets, folders, or files to be automatically encrypted by Amazon. Although this demands a high level of trust with Amazon, Amazon is willing to sign a Business Associate Agreement (BAA) with covered entities to share the responsibility for protecting PHI.
  • Customer-Managed Server-Side-Encryption: Customers upload it securely (using SSL) to Amazon and have Amazon encrypt it with the covered entity’s private encryption key. This option provides the convenience of not having to encrypt and decrypt files locally before uploading PHI. In addition, covered entities can take advantage of server-side-encryption while not having to entrust Amazon with the necessary encryption keys.

How Customer-Managed Server-Side-Encryption Works

  1. Customers generate a private key and send it to Amazon with the payload (PHI data).
  2. Amazon uses the key to encrypt the data that gets stored.
  3. Amazon creates a one-way hash of the key to authenticate the key in subsequent transactions.
  4. Amazon throws away the key and only stores the hash.
  5. Get requests by customers must include the same key which gets hashed and authenticated against Amazon’s stored hash.
  6. Amazon uses the authenticated key to decrypt the data before transmitting it back to the customer.
  7. Amazon throws away the key and only stores the hash.

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>