As previously mentioned, last week I had a call with a medical imaging startup in Honolulu. During our call, one of their key objectives was to determine what cloud vendors offer HIPAA compliant services.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
In previous posts, we’ve covered email providers like Google Cloud, Gmail, Hotmail, Yahoo, Outlook, and AOL and their capabilities for HIPAA compliance. The purpose of this post is to determine if Amazon Web Services (AWS) offers HIPAA compliance or not.
SEE ALSO: Is Google Cloud HIPAA Compliant?
About Amazon Web Services (AWS)
AWS is a secure cloud services platform. It offers computing power, database storage, content delivery and other functionality to help businesses scale and grow.
AWS operates from 16 regions across the globe. It includes popular services like Amazon Elastic Compute Cloud, also known as “EC2”, and Amazon Simple Storage Service, also known as “S3”.
As of today, AWS offers more than 70 services. Amazon markets AWS as a service to provide large computing capacity quicker and cheaper than a client company building an actual physical server farm. We are big fans of AWS.
AWS and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
I thought this would be fairly obvious but I was wrong: People keep asking about HIPAA Compliance and AWS. Here is the AWS HIPAA Compliance section.
Does AWS Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since AWS offers one, we conclude they are in fact a HIPAA compliant cloud vendor.
Make sure your email is HIPAA compliant too. Not sure how?
We put together this free Quick Guide to HIPAA Compliant Email.
What’s Covered Under a BAA with AWS?
Now that we’ve determined AWS will sign a BAA, the question is determining what cloud services provided by AWS are actually covered by their BAA.
We found the answer to that on their HIPAA Eligible Services Reference page. We should note that upon the time of this writing, the page was last updated on 24 March 2017.
The AWS BAA currently covers:
- Alexa for Business (for healthcare skills only – requires Alexa Skills BAA. See HIPAA whitepaper for details)
- AWS Amplify Console
- Amazon API Gateway
- Amazon AppStream 2.0
- AWS AppSync
- Amazon Athena
- Amazon Aurora [MySQL, PostgreSQL]
- Amazon Auto Scaling
- AWS Backup
- AWS Batch
- AWS Certificate Manager
- Amazon Chime
- AWS CloudFormation
- Amazon CloudFront [including [email protected]]
- AWS CloudHSM
- AWS CloudTrail
- Amazon CloudWatch
- Amazon CloudWatch Events [including Amazon EventBridge]
- Amazon CloudWatch Logs
- Amazon CloudWatch SDK Metrics
- AWS CodeBuild
- AWS CodeCommit
- AWS CodeDeploy
- AWS CodePipeline
- Amazon Cognito
- Amazon Comprehend
- Amazon Comprehend Medical
- AWS Config
- Amazon Connect
- AWS Control Tower
- AWS Data Exchange
- AWS Database Migration Service
- AWS DataSync
- AWS Direct Connect
- AWS Directory Services [excluding Simple AD and AD Connector]
- Amazon DocumentDB (with MongoDB compatibility)
- Amazon DynamoDB
- Amazon ElastiCache (Redis)
- Amazon Elasticsearch Service
- AWS Elastic Beanstalk
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Elastic Compute Cloud (Amazon EC2)
- Amazon Elastic Container Registry (ECR)
- Amazon Elastic Container Service (ECS) [both Fargate and EC2 launch types]
- Amazon Elastic Container Service for Kubernetes
- Amazon Elastic File System
- Elastic Load Balancing
- Amazon Elastic MapReduce (Amazon EMR)
- AWS Elemental MediaConnect
- AWS Elemental MediaConvert
- AWS Elemental MediaLive
- AWS Firewall Manager
- Amazon Forecast
- Amazon FreeRTOS
- Amazon FSx
- Amazon Glacier
- AWS Global Accelerator
- AWS Glue (including AWS Lake Formation)
- AWS Greengrass
- Amazon GuardDuty
- Amazon Inspector
- AWS IoT (Core and Device Management)
- AWS IoT Events
- AWS Key Management Service
- Amazon Kinesis Analytics
- Amazon Kinesis Data Streams
- Amazon Kinesis Firehose
- Amazon Kinesis Video Streams
- AWS Lambda
- Amazon Lex
- Amazon Macie
- AWS Managed Services
- Amazon Managed Streaming for Apache Kafka (Amazon MSK)
- Amazon MQ
- Amazon Neptune
- AWS OpsWorks for Chef Automate
- AWS OpsWorks for Puppet Enterprise
- AWS OpsWorks Stacks
- AWS Organizations
- Amazon Personalize
- Amazon Pinpoint [excluding SMS and Voice Message capabilities]
- Amazon Polly
- Amazon QuickSight
- Amazon Rekognition
- Amazon Redshift
- Amazon Relational Database Service (Amazon RDS) [SQL Server, MySQL, Oracle, PostgreSQL, and MariaDB engines only]
- AWS RoboMaker
- Amazon Route 53
- Amazon SageMaker [excluding Public Workforce and Vendor Workforce]
- AWS Secrets Manager
- AWS Security Hub
- AWS Service Catalog
- AWS Serverless Application Repository
- AWS Server Migration Service
- AWS Shield [Standard and Advanced]
- Amazon Simple Email Service (Amazon SES)
- Amazon Simple Notification Service (SNS)
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (Amazon S3) [including S3 Transfer Acceleration]
- Amazon Simple Workflow
- AWS Snowball
- AWS Snowball Edge
- AWS Snowmobile
- AWS Step Functions
- AWS Storage Gateway
- AWS Systems Manager (previously Amazon EC2 Systems Manager)
- Amazon Textract
- Amazon Transcribe
- AWS Transfer for SFTP
- Amazon Translate
- Amazon Virtual Private Cloud (VPC)
- AWS VM Import/Export
- AWS Web Application Firewall (WAF)
- Amazon WorkDocs
- Amazon WorkLink
- Amazon WorkSpaces
- AWS X-Ray
Many parts of Amazon Web Services (AWS) are HIPAA Compliant. Don’t forget to sign a BAA with them.
SEE ALSO: Is Microsoft Azure HIPAA Compliant?