HIPAA Compliance for AWS-hosted SaaS

Amazon Web Services (AWS) is a leading cloud service provider. If you are a software-as-a-service (SaaS) provider, you may have availed one or more services from AWS. If you are working in the healthcare industry or your clients have covered entities that process, maintain, and store protected health information (PHI), HIPAA compliance becomes a necessity for you as a service provider. In this article, we discuss HIPAA compliance requirements for AWS-hosted SaaS.

What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. It seeks to regulate the security and privacy of medical data in the United States. For storing, processing, or maintaining PHI of individuals, a covered entity and its business associates must fulfill the prescribed requirements in HIPAA and subsequent amendments. One such subsequent amendment is HITECH (the Health Information Technology for Economic and Clinic Health Act of 2009).
Out of multiple rules issued under this legislation, HIPAA Privacy Rule and HIPAA Security Rule are widely known, while others are equally important. HIPAA Privacy Rule use and disclosure of PHI by covered entities and their business associates. It covers general rules for disclosure of information, responsibilities of covered entities, and rights of a patient (or individual). On the other hand, HIPAA Security Rule operationalizes the Privacy Rule requirements by addressing technical and non-technical safeguards for protecting electronically stored PHI (also referred to as ePHI). It expects covered entities and their business associates to implement and maintain reasonable safeguards across spheres: technical, physical, and administrative.

Sharing of compliance responsibilities between AWS and SaaS provider

AWS, in its capacity as a cloud service provider, fulfills the prescribed requirements and is HIPAA compliant. However, this does not mean that your application build in AWS will be compliant with HIPAA. As far as the relationship between the SaaS providers and AWS is concerned, a shared responsibility model exists. Here, Amazon looks after the physical layer covering storage, computing, database, and networking. For everything else, you as a SaaS provider (a covered entity) are responsible.
When you chose to avail of services from AWS, you sign a Business Associate Addendum (BAA). BAA is a contract between AWS and a covered entity that decides the extent of liability, permissible disclosure of PHI, and other similar activities. This document also places an obligation on AWS to implement appropriate safeguards to protect PHI.

What about HIPAA certification?

For service providers like AWS, there is no certification for HIPAA compliance. However, as per the information available in AWS documentation, AWS has aligned its risk management program with NIST 800-53. This is in line with NIST’s guide (NIST SP 800-66) for implementing the HIPAA Security Rule with the help of NIST 800-53.
As of now, there is no authorized standard certification mechanism. HIPAA compliance is purely an organization’s prerogative, subject to the HSS Office for Civil Rights (OCR) audit. HITRUST, a privately held company, has developed a Common Security Framework (CSF) to help service providers in fulfilling HIPAA requirements. Over the years, we have seen growing acceptance of.

Do you need to sign BAA with your customers?

If your SaaS solution is hosted on AWS, there are two relationships in play here.
First, between you as a SaaS provider and AWS; and
Second, between you as a SaaS provider and your customers.
For the first relationship, you already have a BAA in place. For utilizing your SaaS offerings, your customers will not sign a BAA with AWS; instead, they will sign a BAA with you as a service provider.
In case one of your clients has availed a service directly from AWS, they would have a separate BAA for the same.

Ending notes

While HIPAA does not specify either penetration testing or vulnerability scanning, it requires covered entities to perform risk analysis and test their security controls on regular basis. Further, NIST’s special publication SP 800-66 specifies conducting penetration testing to check the effectiveness of security controls and exposure to vulnerabilities. Our HIPAA penetration testing practice replicates techniques used by hackers to determine your systems’ reaction to a successful cyberattack, discover security gaps, and explore the extent of damages. Read more about our specialized HIPAA penetration testing service here.

Additional Resources

1. HIPAA Compliance on AWS – Cheatsheet
2. HIPAA Security Rule Simplified
3. HIPAA and Penetration Testing – Part I and Part II