Getting Your BAA with AWS?
AWS stands for Amazon Web Services, an established public cloud provider with various security programs and certifications that customers can use.
Amazon’s Business Associates Addendum is otherwise known as Business Associates Agreement (BAA). It defines HIPAA safeguards managed by AWS and breaks down how compliance responsibilities are divided between the cloud platform and the clients.
The client organization’s responsibility is to ensure they’re correctly fulfilling the agreement and managing their security responsibilities to fulfill HIPAA.
Healthcare companies that plan to use AWS cloud services with protected health information (PHI) must execute Amazon’s BAA. If you need to do this but are unsure where to start, we’re here to help.
What is a BAA?
At its most basic, a Business Associate Agreement (BAA) is a legal contract between a healthcare provider and a personal or business. This contract establishes the roles and responsibilities of the two parties as it pertains to the access, transmission, and storage of Protected Health Information (PHI) between the two.
A BAA is critical for any organization to have in place with companies they partner with in order to maintain compliance with the Health Insurance Portability and Accountability Act.
HIPAA BAA’s are legally binding agreements. Therefore, it’s essential to have a dedicated security officer, lawyer, or HIPAA Compliance solution to help you execute these contracts.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that developed national standards for the protection of sensitive patient health data from being disclosed without the individual’s knowledge or consent.
The US Department of Health and Human Services (HHS) established the HIPAA Privacy Rule to apply the requirements of HIPAA. The HIPAA Security Rule safeguards a subset of information covered by the Privacy Rule.
The Privacy Rule standards assess the use and disclosure of people’s health information by entities subject to the Privacy Rule. This information is known as protected health information (PHI).
The Privacy Rule also includes standards for people’s rights to understand and determine how their health data is used. The Privacy Rule aims to ensure that people’s health information is properly safeguarded while enabling the flow of health information required to provide and develop high-quality healthcare and protect people’s health and well-being.
Is AWS HIPAA Compliant?
AWS has all the protections to meet the HIPAA Security Rule. Amazon will sign a business associate agreement with healthcare organizations.
But the answer as to whether AWS is HIPAA compliant is unclear. AWS can be HIPAA compliant, but it’s also possible to make configuration issues that will leave protected health information (PHI) accessible and unprotected by unauthorized people, violating HIPAA rules.
Amazon aims for healthcare organizations to use AWS. As such, a business associate agreement will be signed. Under this agreement, Amazon supports the security, control, and administrative processes necessary under HIPAA.
Previously, under the terms of the AWS BAA, the AWS HIPAA compliance program required business associates and covered entities to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process PHI. However, this isn’t the case anymore.
Amazon has published a 26-page guide to help healthcare companies use AWS safely and securely without violating HIPAA Rules. This is called ‘Architecting for HIPAA Security and Compliance on Amazon Web Services’ to help covered entities and business associates learn to secure their AWS and set access controls.
So, to sum it up, Amazon supports HIPAA compliance. It's possible that AWS can be used in a HIPAA-compliant way. However, no cloud service or software can ever be strictly HIPAA compliant.
Like with all cloud services, AWS HIPAA compliance isn’t about the software or platform, but how it’s used.
How do you Obtain a BAA with AWS?
You can accept AWS agreements for just your account, even if your account is a member account in a business in AWS Organizations.
Before you accept an agreement, it’s best to consult with your legal, privacy, and compliance team.
If you’re an administrator of an account, you can give IAM users and federated users with roles permission to access and manage one or more of your agreements.
IAM and federated users must have the following permissions to accept an agreement:
Here are the steps to accept an agreement with AWS:
- Open the AWS Artifact console at https://console.aws.amazon.com/artifact/.
- Select Agreements on the AWS Artifact navigation pane.
- Select the Accounts Agreements tab.
- Open the section of the agreement.
- Select Download and Review.
- Review the agreement and select the checkboxes to show you agree.
- Review the agreement and then select the checkboxes to show that you agree.
- Select Accept to accept the agreement on your account.
If you need to, here’s how to terminate an agreement with AWS:
If you used the AWS Artifact console to accept an agreement, you could use it to terminate the contract. Otherwise, check Offline agreements.
To terminate an agreement, federated and IAM users must have the following permissions:
Here are the steps to terminate your online agreement with AWS:
- Open the AWS Artifact console at https://console.aws.amazon.com/artifact/.
- On the AWS Artifact navigation pane, select Agreements.
- Select the Account agreements tab.
- Pick the agreement and select Terminate agreement.
- Select all checkboxes to show that you agree to terminate the agreement.
- Select Terminate. When prompted for confirmation, Select Terminate.
Why Do You Need a BAA with AWS?
A BAA makes business associates accountable for fulfilling HIPAA security and privacy rules concerning PHI. The contract defines each party’s responsibilities for safeguarding and protecting PHI and establishes how companies should work together to practice compliance.
Configuring AWS to be HIPAA Compliant
Simply signing a BAA with AWS doesn’t make an organization HIPAA compliant. AWS clients need to practice certain administrative and technical safeguards to maintain compliance in AWS.
It’s possible to use HIPAA-compliant services in AWS and not be HIPAA-compliant. Companies must follow administrative policies and procedures to adopt administrative safeguards.
Policies must include typical operating procedures for risk assessments, backup and recovery, employee training, and other system access policies.
Organizations must also apply technical safeguards and controls. This includes using solutions for disaster recovery (DR), intrusion detection, audit logging, and firewall/networking protections.
AWS and third-party vendors must offer many different ways to implement these requirements. Companies must ensure they’ve correctly set up technical controls for all AWS services using PHI.
When using AWS’ HIPAA-eligible services, cloud misconfigurations can contribute to making an organization non-compliant with HIPAA.
Here are some examples:
- Imagine that a company has an Amazon S3 bucket with patient-protected health information. If this S3 bucket is publicly readable and writable by all, this might cause a security breach.
- A company has different EC2 instances or services with PHI. If a data volume linked to an instance is unencrypted or a port is left revealed to the public, this might cause a security breach.
These examples can be fixed by implementing appropriate policies and enforcing security controls across the cloud account. Companies should set a security baseline when using and consistently monitor AWS service settings to determine that AWS services are configured and used securely and compliantly.
Previously, AWS required companies to use only ‘Dedicated Instances’ when developing HIPAA-compliant services. This made HIPAA-compliant workloads a lot more expensive. Start-ups and brands that didn’t provide large-scale offerings had difficulty developing HIPAA compliant AWS services.
In May 2017, AWS announced the removal of this instance requirement. This meant that businesses could use the AWS HIPAA Security program with any size instance.
Businesses can currently use any size EC2 service along with the various other HIPAA-eligible services when developing HIPAA compliant application within AWS.
How Common are AWS Misconfigurations?
AWS misconfigurations are extremely common. However, there’s no excuse for these oversights. Checking for unprotected AWS buckets is a quick and easy process. There’s even software that can be used free of charge for this purpose.
A tool called S3 Inspector can be used to check for unsecured S3 buckets.
Developing HIPAA Compliant Services
AWS provides plenty of flexibility when building healthcare services. Signing the AWS BAA is the first stage when developing compliant workloads.
Once the AWS BAA is executed, it’s up to your business to ensure that administrative policies and technical controls are set in place and followed.
Here at Accountable, we make managing risk and compliance as simple and straightforward as possible. Schedule a call with us today to see how we can help you get your BAAs and other compliance factors in place.