By Ysquare Posted September 11, 2023

5 steps to get your digital health platform HIPAA compliant on AWS

#digitalhealth – It can be a buzz but needs more protection to safeguard your #physicalhealth and #mentalhealth.

Summarized TODOs for ensuring #HIPAA compliance for your #healthtech platform when choosing #aws as your cloud provider.

1. Initiate a AWS Business Associate Addendum (BAA).
This is the first step before running protected health information (PHI) workloads on AWS. BAA establishes a legal relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI.

2. Objective is to protect PHI – Protected Health Information, simply saying patient identification data.
The primary objective of the HIPAA Compliance is to ensure encryption of patient (PHI) data to be protected both in transit and in storage. AWS offers a comprehensive set of features and services to make key management and #encryption of PHI easy to manage and simpler to audit, including the AWS Key Management Service (AWS KMS). AWS also provides a comprehensive list of HIPAA eligible services on how to enable encryption using the guidance from e Secretary of Health and Human Services (HHS).

3. Adopt required authentication and administrative policies according to your organization.
Applying administrative policies and procedures according to your organization is an essential part when implementing a HIPAA compliance solution. Such safety policies represent standard operating procedures (SOPs) that handle emergencies, private information, employee training, risk assessment, service outages, and address HIPAA administrative requirements.

4. Logging & Data backups cannot be skipped.
The entity is responsible for ensuring audit logging and tracking controls as it is a must have to meet the compliances as in case of a data breach, there should be enough evidence through the generated reports with all logged transactions without difficulty. Timely backups and archives are necessary for any disaster recovery. AWS provides services like S3 and Glacier to take care of these backups.

5. AWS is not completely responsible for any mismanagement
Choosing AWS is itself not HIPAA compliant. AWS here acts a guide to ensure your entity and your application becomes compliant but any misconfiguration or data vulnerability which is created would be completely owned by the entity and not AWS. Make sure to work on the staging and development environments with only de-identified and de-risked PHI.

P.S BAA agreements, list of AWS HIPAA eligible services whitepaper and security control matrix for any conflicts or scenarios and their commentary on necessary actions. Links provided in the comments.

  • Tags:

RELATED POSTS

Comments are closed.

PREVIOUS POST
Payment Gateway - A comprehensive cheatsheet
NEXT POST
Competitive Analysis of SAAS platform

Let’s collaborate!

How can you supercharge your business with bespoke solutions and products.

Close Bitnami banner
Bitnami