Healthcare Compliance in the Cloud

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that delivers a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP is mandatory for all US federal agencies and all cloud services, including the U.S. Department of Health and Human Services.

 Two separate FedRAMP Agency authorizations have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.

The HITRUST CSF (Cloud Security Framework) serves to unify security controls based on aspects of US federal law (such as HIPAA and HITECH), state law (such as Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth), and recognized non-governmental compliance standards (such as PCI DSS) into a single framework that is tailored for healthcare needs.

Certain AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF Assessor as meeting the HITRUST CSF v9.3 Certification Criteria.

Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that is designed to make it easier for US workers to retain health insurance coverage when they change or lose their jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.

Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the "Administrative Simplification" rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces.

The Health Information Act (HIA) is the privacy law in Alberta that applies to the collection, use, disclosure and protection of health information that is in the custody or under the control of a custodian.

The AWS Canada (Central) Region is currently available for multiple services, such as: Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS).

The Personal Health Information Protection Act (PHIPA) is privacy legislation in Ontario that applies to the collection, use, and disclosure of personal health information (PHI) in the course of providing or facilitating healthcare services.

Health and Social Care Cloud Security – Good Practice Guide has been written jointly by NHS Digital, NHS England, the Department of Health and Social Care and NHS Improvement.

This guidance explains the safeguards that must be put in place so health and social care organisations can safely locate health and social care data, including confidential patient information in the public cloud including solutions that make use of data off-shoring.

AWS enables the compliance through classifying the workloads that are being deployed to AWS and supports by implementing the class-appropriate controls. The white paper,  “Using AWS in the context of NHS Cloud Security Guidance” includes detailed risk management activities for organizations to undertake, comprising mostly technical measures appropriate to the level of security required.

Hébergeur de Données de Santé (HDS) - Introduced by the French governmental agency for health, “Agence du Numérique en Santé” (ANS), the HDS (Hébergeur de Données de Santé) certification aims to strengthen the security and protection of personal health data.

To be HDS certified, an IT provider must be ISO 27001 certified. This means that the services covered by our ISO 27001 certification are included in the scope of HDS. The AWS services that are in scope for the ISO/IEC 27001:2013 certification can be found on the ISO Certified webpage.  

DiGAV was introduced in April 2020 to support the digitization of the German health system. DiGAV enables certain healthcare applications to be recognized as refundable under the German statutory health insurance system. However, for organizations to comply with and enable eligibility for reimbursement through DiGAV, they must demonstrate that their applications meet DiGAV data protection requirements, including that personal data is processed exclusively within the European Economic Area (EEA) or a country with an adequacy decision by the European Commission based on Article 45 of the EU General Data Protection Regulation (GDPR).

AWS provides a number of industry-leading tools to support customers address local regulatory and legislative requirements, including the German Digital Supply Act (DVG) and associated Digital Health Applications Ordinance (DiGAV), as they move healthcare workloads to the cloud.

The Act on the Protection of Personal Information (APPI) is the primary legislation dealing with personal data in Japan.

The APPI applies to all business operators (individuals and entities) that handle personal information. The APPI also distinguishes between personal information and personal data (which the APPI defines as personal information that constitutes part of a personal information database). Obligations on business operators vary depending on whether the business operators acquire, use, or provide, personal information or personal data.

AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.

The Personal Data Protection Act 2012 (PDPA) is the law that applies to the protection of personal data in Singapore, including when the personal data is transferred internationally for processing. The PDPA governs the collection, use, disclosure and protection of personal data.

AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.

AWS supports many healthcare organizations globally by providing the technology needed to move at the speed necessary to have an impact—from using medical data-sharing to diagnose previously unknown diseases, to identifying new viruses to prevent another pandemic, and many other critical functions—all while enabling customers to meet the highest security and compliance requirements. As one example, the Integrated Health Information Systems (IHiS) in Singapore, the agency responsible for supplying the enabling technologies that power Singapore public healthcare, turned to AWS to securely scale its vaccination operations IT systems to sustain significantly higher loads at very short notice, from an initial load of 8,000 daily vaccinations to a peak of 80,000 daily vaccinations within
four weeks.