top of page
Writer's picturegvalyou

Navigating HIPAA and HITECH Cloud Compliance with Microsoft Azure and Amazon Web Services


For organizations that work with healthcare and patient information HIPAA and HITECH Compliance is often complex and confusing. The task can seem especially daunting when looking to create a robust data driven solution leveraging the Cloud based services of Microsoft Azure or Amazon Web Services. With some upfront research and planning, it is possible to stay compliant and reap the benefits many industries have realized from the Cloud.


What is HIPAA and HITECH?

The HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) Acts communicate the legal requirements and guidelines on the use and disclosure of PHI (Protected Health Information) and ePHI (Electronic Protected Health Information). ePHI is a classification of PHI that includes information that is produced, saved, transferred or received in electronic form. These Acts address the adoption of appropriate administrative, physical and technical safeguards to protect PHI including security, auditing, back-ups and disaster recovery and breach notification obligations for Covered Entities and Business Associates.

Covered Entities are individuals or organizations that must comply with HIPAA and HITECH and include health plans, clearinghouses and certain healthcare providers. Business Associates are non-employee individuals or entities, who provide services to or for a Covered Entity related to PHI.

The HIPAA Rules require that Covered Entities and Business Associates enter into contracts or agreements to ensure that the Business Associates will safeguard all PHI on behalf of the Covered Entity. Business Associates must also enter into agreements with their Service Providers if the Service Provider delivers any service related to the Covered Entities’ PHI.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes two major titles and has been expanded several times including in 2009 by the Health Information Technology for Economic and Clinical Health Act

(HITECH).

Title I of HIPAA governs and protects the health insurance coverage for employees and their families when there is a job change or loss.

Title II of HIPAA describes policies, procedures and guidelines for maintaining the privacy and security of personal health information and the penalties and legal actions for violations. It also requires the Department of Health and Human Services (HHS) to develop rules and policies for those that use, store or transmit healthcare information.

Under HHS rules and policies, when working with PHI, Covered Entities and Business Associates are required to comply with the following rules:

  • Privacy

  • Security

  • Enforcement

  • Breach Notification

  • Final Omnibus

These rules require that there are clear policies, procedures and training to guard and protect PHI and outline what happens if the rules are violated or a breach occurs.

The Security Rule, for example, requires Covered Entities to maintain administrative, technical and physical safeguards for protecting PHI. These include:

  1. Ensuring the confidentiality and integrity of all PHI they create, receive, maintain or transmit

  2. Identifying and protecting against reasonably anticipated threats to the security or integrity of the information

  3. Protecting against reasonably anticipated, impermissible uses or disclosures

  4. Ensuring compliance by their workforce

To learn more about HIPAA and HITECH, the U.S. Department of Health & Human Services (HHS) has a very comprehensive website that provides compliance resources and copies of the Acts [1].

Why is HIPAA and HITECH Important to the Cloud?

With many organizations rapidly moving toward Cloud based solutions, accessing, processing, storing or handling PHI, requires compliance with HIPAA and HITECH. Not complying not only can put PHI at risk, but can also lead to potential civil and criminal penalties.

Two leaders in the Cloud hosting space are Microsoft Azure and Amazon Web Services. These Cloud Providers directly offer a diverse menu of Cloud-computing services that when bundled or stacked create a robust on-demand computing platform which include processing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools and tools for the Internet of Things (IoT). For many organizations, they provide the ability to implement a robust infrastructure in a cost-effective manner compliant with many different industry rules and regulations including HIPAA and HITECH.

Microsoft Azure and Amazon Web Services provide an ever expanding list of services that are HIPAA and HITECH compliant under their respective Business Associate Agreements, allowing customers that require HIPAA and HITECH compliance to benefit from the Cloud.

Architecting a Compliant Cloud Solution

Architecting a fully compliant HIPAA and HITECH Cloud solution requires careful research, planning and guidance. There are many nuances that must be considered to ensure the compliance of services in the Cloud versus that of traditional licensed software. Microsoft Azure and Amazon Web Services provide multiple resources and information on their websites to help understand the process and options required to design and architect a HIPAA and HITECH solution using their platform.

Microsoft Azure

Microsoft Azure provides the “Microsoft Trust Center”, a website section that includes many resources focused on best practices, case studies and white papers to help ensure HIPAA and HITECH compliance with Microsoft Azure [2].

Highlighted publications include “A Practical Guide to Designing Secure Health Solutions Using Microsoft Azure” which provides guidance for designing and deploying secure solutions on the Microsoft Azure Platform [3].


https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA

Amazon Web Services

Amazon Web Services provides “HIPAA in the Cloud”, a website section that includes many resources focused on best practices, case studies and white papers to help ensure HIPAA and HITECH compliance with Amazon Web Services [4].

Highlighted publications include, “Architecting for HIPAA Security and Compliance on Amazon Web Services”, which provides guidance for designing and deploying secure solutions on the Amazon Web Services platform [5].


Microsoft Azure and Amazon Web Services within their websites have associated documentation and Business Associate Agreements that clearly communicate the HIPAA Compliant services they provide. They both follow what is called a shared responsibility model. In a shared responsibility model the Cloud provider is responsible for securing the underlying infrastructure that supports the Cloud and the customer is responsible for anything put in the Cloud or connected to the Cloud. It is important to ensure that only services that are compliant or can be made compliant are utilized for activities that process, store or transmit PHI and that the scope of responsibility of the provider and customer is clearly understood.

Illustrated Amazon Web Services Shared Responsibility Model [6]


At the current time the following HIPAA services covered by their respective Business Associate Agreements are:



What if I want to use a service that is not on the covered list?

If a service is not listed in the current HIPAA and HITECH compliance documentation from Microsoft Azure or Amazon Web Services, it is important to not make assumptions about its compliance or add a service without careful investigation and guidance.

Highlighting the complexities and challenges of determining compliance when selecting and layering in services to architect a HIPAA and HITECH compliant Cloud based solution, many Cloud based services, even those offered within the same provider’s marketplace, may not meet or comply with HIPAA and HITECH requirements. Careful consideration must be given to every component that may be utilized in a solution or it may fall out of HIPAA and HITECH compliance.

For example, Tableau Server for AWS does not comply and does not claim to comply with HIPAA as referenced directly from the Tableau Server for AWS End User License Agreement [9].

“Health Information. Customer will not submit to Tableau Server for AWS any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations ("Health Information") and acknowledges that Tableau is not a Business Associate and that Tableau Server for AWS is not HIPAA compliant. "HIPAA" means the Health Insurance Portability Act, as amended and supplemented. Tableau shall have no liability under this Agreement for Health Information, notwithstanding anything to the contrary herein.”

Some services may be HIPAA and HITECH compliant although not immediately evident. While not specifically referenced within the Amazon Web Services Compliant Solutions list, MicroStrategy offers a HIPAA Compliant Cloud offering that can leverage the features of Amazon Web Services [10].


If unclear as to a services’ HIPAA and HITECH compliance or there is a need to include other services or products, consult with Microsoft, Amazon or the vendor as many vendors have solutions that can be used with Microsoft Azure and Amazon Web Services or they can help you design a Cloud, Virtual Private Cloud or Hybrid compliant solution.

There are also 3rd party Managed Services companies that have expertise and can help design and support HIPAA and HITECH compliant solutions leveraging many different solutions in concert with Microsoft Azure or Amazon Web Services.

Conclusion

HIPAA and HITECH Compliance is mandatory for organizations accessing, processing, storing or handling PHI. With some upfront research, planning and help, the sky is the limit with the Cloud services of Microsoft Azure or Amazon Web Services.

References and Citations

  1. HHS Website, http://www.hhs.gov/hipaa/for-professionals/index.html, 11/26/2016

  2. Microsoft Azure Website, “Microsoft Trust Center – HIPAA Section”, https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA, 11/26/2016

  3. Microsoft TechNet, “A Practical Guide to Designing Secure Health Solutions Using Microsoft Azure”, https://gallery.technet.microsoft.com/Azure-A-Practical-Guide-to-5ebdc8bd, 2015,

  4. Amazon Web Services Website, “HIPAA in the Cloud”, https://aws.amazon.com/health/providers-and-insurers/hipaa/, 11/26, 2016

  5. Amazon Web Services White Papers, “Architecting for HIPAA Security and Compliance on Amazon Web Services”, https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf, October 2016

  6. Amazon Web Services Website, “Amazon Web Services, Shared Responsibility Model”, https://aws.amazon.com/compliance/shared-responsibility-model/, 11/26/2016

  7. Microsoft Azure Website, “Microsoft Azure, HIPAA Covered Services”, https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA, 11/26/2016

  8. Amazon Web Services Website, Amazon Web Services, “HIPAA Eligible Services”, https://aws.amazon.com/health/providers-and-insurers/hipaa/, 11/26/2016

  9. Amazon Web Services Marketplace Website, “Tableau Server for AWS the End User License Agreement”, https://aws.amazon.com/marketplace/pp/B015WQEKS4?qid=1480256906047&sr=0-2&ref_=srh_res_product_title, 11/26/2016

  10. MicroStrategy Cloud Service Publication, “All New MicroStrategy Secure CloudEnterprise Analytics Meets Unlimited Computing Power”, https://www.microstrategy.com/Strategy/media/downloads/training-events/symposium%20series/presentations/All_New_MSTR_Secure_Cloud_on_AWS_Enterprise_Analytics_Meets_Unlimited_Computing_Power.pdf, 11/26/2016

Disclaimer, Copyright and Trademark Statement

This article is provided for informational and educational purposes. It makes no warranties as to the claims, accuracy or fitness of information provided, referenced or cited. Use of the information, instructions and any examples contained in this work is at your own risk. There should be no implied endorsement of this article by any person or organization referenced.


All trademarks, company, product and services names, images, descriptions, or public website content are property of their respective owner as source referenced. It is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

bottom of page