Compliance in the Cloud – HIPAA

Today many companies are looking to move their applications and workflows to the Cloud in order to realize benefits such as minimizing cost, reducing IT overhead, and enterprise scalability.

Some of these solutions are required to maintain compliance with HIPAA, which creates concern when hosting in a public cloud platform such as AWS or Microsoft Azure. The good news is that both of these major public cloud providers have solutions for applications that require this sort of compliance.

Solutions that handle Protected Health Information (PHI) must maintain HIPAA compliance and are required to manage a number of safeguards at the administrative, technical, and physical levels. Some examples of these safeguards include:

  • Administrative
    • Privacy Officer Assignment
    • Annual Risk Assessments
    • Policies and Procedures
    • Employee Training
    • Establish a Business Associate Agreement (BAA) with all partners involved
  •  Technical
    • Transmission Security
    • Access Control
    • Auditing
  • Physical
    • Facility Access Controls
    • Workstation compliance
    • Device and Media handling

Typically, administrative safeguards are handled when a company accesses the PHI, technical controls are handled by the applications that manage this data, and physical safeguards are handled by parties that have physical access to the infrastructure.

Next, we will look at how AWS and Azure provide a platform to host HIPAA compliant applications as each provider meets HIPAA compliance at the Physical level.

AWS is a large player in the public cloud platform sector, and it provides the mechanisms to host a HIPAA compliant solution. AWS does provide a Business Associate Agreement (BAA) by request, but requires that you host your application in dedicated instances. Dedicated instances are costlier than shared instances, but guarantee that your VM is isolated and does not share resources with other VMs. Also, AWS requires that a VPC must be employed, and that their S3 and EBS services should be used to process and store PHI. Applications are required to handle encryption of the data in transit, auditing, and access controls.

Azure is another large public cloud platform, and also provides the ability to host a HIPAA compliant solution. Azure provides a BAA to all customers that are part of their Microsoft Online Subscription program, which is essentially any customer that is part of their Pay-as-you-go or Volume License agreements. Azure also provides HIPAA compliance for most of their Platform-as-a-Service (PaaS) offerings, such as Azure SQL Database, Azure Service Bus, and Azure Cloud Services. This creates an advantage when hosting HIPAA compliant solutions in Azure, as their BAA covers most of their IaaS, PaaS, and SaaS offerings. As with AWS, Azure requires that the applications handle certain measures such as encryption, auditing, and access controls.

AWS and Azure, the top two public cloud platforms, each provide a solution to host a HIPAA compliant solution. Each certify their solutions at the physical level, and require the customer to handle compliance at the administrative and technical levels. As such, certain architectures and security measures should be used to ensure that the application meets HIPAA compliance.

For more information on how you can host your HIPAA application in the cloud, please reach out to Ad Victoriam solutions.