How to Build and Manage HIPAA/HITECH Compliant Applications in AWS

What is HIPAA and HITECH?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted and signed into law by Bill Clinton on August 21, 1996. HIPAA defines specific requirements for protecting patient privacy and information. This protected patient information is referred to as PHI (Protected Health Information), ePHI (Electronic Protected Health Information), or IIHI (Individually Identifiable Health Information).

The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. This act set about prioritizing meaningful and interoperable EHR (electronic health records) adoption throughout the health care system. The goal is not adoption alone, but to make meaningful use of EHRs by providers to achieve significant improvements in care.

While customer privacy and cybersecurity are critical regardless of the industry, security is especially important in the healthcare industry as it remains the largest target of data theft. Health data, including patient medical records, are the most valuable forms of data on the black market. As such, HIPAA-compliant app development is more important now than ever.  

What Is A HIPAA/HITECH Compliant Cloud?

Due to the recent growth of public cloud platforms and SaaS solutions, regulated industries, including the healthcare industry, have begun looking to cloud services and public cloud platforms as a means of simplifying business operations.

Simply put, cloud computing and public cloud platforms allow an organization to quickly and efficiently deploy services, scale applications and workloads, and obtain accurate pricing information. Cloud service providers now feature HIPAA-supported services, allowing you to easily build and manage HIPAA-compliant apps without having to rely on on-premise servers or data center experts.

Security and compliance are paramount for any business, organization, or industry that requires HIPAA and HITECH compliance and manages protected health information (PHI).

Why Build Compliant Services In AWS?

There are plenty of reasons why you should consider building and managing HIPAA and HITECH compliant applications in AWS, including:

Development Tools: Amazon provides you with all of the tools and flexibility required to build the latest healthcare applications.

Get-To-Market Faster: Featuring a massive development ecosystem and numerous service and deployment options, Amazon allows organizations to build powerful applications in no time.

Scalability: AWS allows organizations to scale anywhere from a few users to millions — all with limited capital expenditure.

Lower Cost: Building applications in AWS roughly one-third the cost of traditional on-premise and proprietary cloud solutions.

What is AWS Lambda?

AWS Lambda is a serverless cloud service that allows teams to build applications, services, and APIs quickly, without having to deal with complicated infrastructures like servers and virtual machines. 

AWS Lambda executes application code allowing developers to create applications as a set of functions and then deploy them in AWS Lambda. AWS is responsible for provisioning all required computer resources in order to execute these functions. 

All AWS Lambda service functions can be triggered by various events, including HTTP requests, a change in a database record, emails or SMS, etc. Once an event is triggered, Lambda’s function code is executed. This code then interacts with other AWS services, including a system’s database, where it sends an output.

Challenges With Compliance in the Public Cloud

Implementing a single compliance solution doesn’t mean your entire organization is HIPAA/HITECH compliant. Your team must implement technical safeguards, set appropriate policies, and follow through with defined procedures. 

Organizations that develop HIPAA compliant applications and solutions typically run into two challenges:

Creating Privacy and Security Policies

Simply following the HIPAA Privacy and Security Rules is not enough. Your organization, including all covered entities and business associates, must provide proof that they are proactively taking measures to prevent violations — this is achieved by developing robust privacy and security policies. In short, HIPAA/HITECH policies function as a guide for handling sensitive patient data, emergencies, service outages, and staff access and training. 

Implementing Security Safeguards

There are three sets of requirements that a team needs to consider when managing PHI or building healthcare applications and/or solutions that are to be in line with HIPAA/HITECH compliance standards — they include the following:

Physical safeguards refer to how physical controls are implemented into digital devices that store ePHI. This includes securing physical servers/machines and implementing employee access restrictions. 

Technical safeguards refer to the technical aspects of any networked systems or devices that transmit information containing ePHI when communicating with each other, including network security, perimeter firewalls, access control, and authentication protocols, etc.

Administrative safeguards cover how an enterprise creates and manages its employee policies and procedures, ensuring they comply with the Security Rule.

What is the Shared Responsibility Model?

Cloud providers, including Amazon Web Services (AWS), operate on what’s referred to as a shared responsibility model. The Shared Responsibility Model dictates that the cloud provider supplies your organization with a Business Associates Agreement (BAA) that explains how specific cloud services must be configured for HIPAA compliance. It is also your responsibility to lay out the technical and physical safeguards. Learn more about the Shared Responsibility Model here.

Interested In Building HIPAA Compliant Applications? Follow This HIPAA/HITECH Compliance Checklist

If your organization aims to utilize services from a public cloud platform to build HIPAA compliant applications, the following HIPAA requirements must be managed to achieve HIPAA compliance in the cloud. The following steps are commonly taken by teams in order to achieve HIPAA compliance.

1. Sign a business associates’ agreement (BAA):

Any organization that deals with protected health information (PHI) needs to discuss and sign a BAA with all cloud vendors that store, process, or transfer PHI. In other words, building teams should have a BAA in place with cloud service platforms that store PHI.

2. Stick to the services defined in the BAA regarding PHI

As well as listing the cloud services that may be used to build HIPAA compliant solutions, a BAA agreement also states the security responsibilities that must be met. Organizations need to be certain that they are only storing PHI data in cloud services that were covered in the BAA.

3. Implement all administrative policies and safeguards

As we mentioned above, simply signing a BAA does not automatically ensure that an organization is HIPAA compliant. In order to maintain compliant status, a HIPAA security program — including administrative policies and procedures — must be put in place. These policies should be simple and straightforward, providing the necessary steps covering everything from risk assessment and disaster recovery to employee training and log review.

4. Implement all necessary security controls

Although cloud computing platforms provide the necessary physical safeguards and security options, nevertheless, it is up to the organization to ensure that all proper technical controls are implemented across all cloud services to address encryption, audit logging, firewall/networking, intrusion detection, vulnerability scanning, etc.

5. Review compliance standards periodically

Periodic review is required to ensure compliance with HIPAA requirements. Teams need to review administrative policies periodically to ensure security protocols are implemented across cloud services and are up to date.


The AWS cloud reduces application development time and simplifies operational activities. Still, security teams can not afford to overlook the security configuration and planning required to build secure cloud applications.

Unfortunately, applications produced in AWS are not inherently secure. It’s up to you to implement the required security controls across your applications and connected cloud services. 

Teams may turn to continuous compliance monitoring to mitigate compliance configuration issues. These services can help your team guarantee that AWS environments are compliant with HIPAA standards.

Download your free AWS HIPAA whitepaper now and learn more about how teams are managing their AWS security programs with Dash Continuous Compliance Monitoring.


Leave a Reply

Your email address will not be published. Required fields are marked *