HIPAA on AWS the Easy Way



Many of our customers are running workloads that are subject to HIPAA regulations.  Running these on AWS is definitely doable, but there are some catches.  Foghorn has made it super easy for our customers to run HIPAA compliant workloads on AWS. Here’s how..

What is a BAA?

If you are not familiar with HIPAA, the regulations require a Business Associate Agreement to be executed with each of your partners who may have access to Protected Health Information.  From the Health Information Privacy page on BAA:

‘A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.  The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. ‘

AWS HIPAA Rules and Regs

If you are handling PHI today, you already know that any vendor that you share PHI with is required to sign a BAA.  Amazon has made this process pretty straightforward, in that they offer a BAA that they will happily sign for all customers storing and processing PHI on AWS.  But the devil is in the details.  You can read more at the AWS HIPAA compliance page here.  The important quote:

“Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store and transmit PHI in the HIPAA-eligible services defined in the BAA.”

So are you protected by the BAA?

The BAA that Amazon signs covers only a few of the AWS services, and requires that you use those services in specific architectural configurations.  If you break those conventions, the BAA is nullified.  Worse, it is nullified for your entire account, not just for data handled by the non-compliant components.

An easy example would be if your team had a compliant architecture for production, but a non-compliant infrastructure for staging.  This may have been your configuration to save on costs, and in order to maintain compliance you scrub staging data of PHI before uploading.  Let’s say that an engineer mistakenly uploaded non-scrubbed data to the non-compliant environment.  You just invalidated your BAA, even for your production environment!

In addition, any of the technical consultants, subcontractors, and managed services companies that you use also need to sign a BAA. This process can be time consuming and costly from a legal perspective.

The Easy Way

Foghorn is both a cloud services and a cloud engineering provider.  Because you get all of your AWS as well as your engineering and managed services from us, you can sign a single BAA with Foghorn.  All of the AWS gotchas still apply, but Foghorn is deeply experienced in architecting and managing HIPAA compliant environments.  By partnering with Foghorn, we can make sure your PHI is safe, and your company is protected from accidentally invalidating your AWS BAA.  There are a few ways we accomplish this:

  1. All Foghorn employees undergo HIPAA training.  We make sure our employees understand the what, the how and the why of HIPAA to avoid any simple errors.
  2. All Foghorn customer HIPAA accounts are tagged.  We know which accounts are HIPAA, and which aren’t, without a doubt.  That makes tracking and auditing easier.
  3. We segregate your PHI workloads from non PHI workloads when possible, to make sure we can focus the restrictive HIPAA based policies only where required. This saves cost and maintains agility on the rest of your workloads.
  4. We design the HIPAA infrastructure with belt and suspenders.  We make sure your architecture is compliant with Amazon’s BAA conditions, and add multiple layers of assurance.
  5. We advise and guide on the responsibilities that AWS does not take care of.  This includes scanning, penetration testing, change processes, incident response, etc.
  6. We set up realtime audit monitoring for key controls to make sure that in case someone changes something in your account that may lead to compliance issues, your team is notified immediately.

Call us today for more info on how we can help you meet HIPAA compliance while retaining your agility.

The Reinvention of Amazon Bedrock

The Reinvention of Amazon Bedrock

Amazon Bedrock is a sophisticated and fully managed service provided by AWS, designed to facilitate the development and scaling of generative AI applications. Some key improvements have been launched at AWS Re:Invent this week. We’ll dive deeper into those later....