October 2017^[1]

The UW has a contract for Amazon Web Services (AWS), which provides for the use of AWS services with appropriate security, privacy and compliance provisions.  This contract is with DLT Solutions, Inc., an authorized reseller of AWS, and provides two important services for UW’s use of AWS:  billing, and optional technical support.  UW also has a Business Associate Agreement (BAA) with DLT, which covers a limited set of the AWS services.  This document describes how to use AWS with Protected Health Information (PHI), and remain compliant with federal regulations (HIPAA) and UW policies for use of PHI.

Operational Considerations

There are a number of operational considerations for using AWS in a way that complies with HIPAA and with the UW BAA with the service provider, so prior to using AWS for Protected Health Information (PHI), please review these requirements and limitations:

1. Only AWS Accounts that are provisioned through the UW-IT AWS service are covered by the UW contract and the BAA.
2. Any account that will transmit, process, or store PHI must be pre-registered with DLT.
3. Usage is limited (as of September 28, 2017) to approximately 40 AWS services, including:   Elastic Compute Cloud (EC2), Simple Storage Service (S3), and Elastic Block Store (EBS), DynamoDB, Elastic MapReduce (EMR), Elastic Load Balancer (ELB), Glacier, Relational Database Service (RDS) (but only MySQL and Oracle engines), Redshift, and many others.  Others may be added in the future.  The current list of HIPAA-eligible services is documented in the AWS HIPAA-Eligible Services Reference.
4. You must use EC2 Dedicated Instances (more costly than standard shared instances by about 10%).  Dedicated Instances are no longer required, effective May, 2017.
5. You must encrypt data in transit and at rest.
6. You must utilize the highest level of audit logging features made available in any given AWS service, and maintain those audit logs as defined by UW General Records Retention Schedule (meets HIPAA security rule requirements for log data retention).

Architect Your Solution

Prior to deploying any PHI into AWS, you should consider how to architect your solution in order to comply with HIPAA and the terms of the BAA.  Anybody at the University of Washington who utilize PHI in their work must adhere to the policies and standards set forth by UW Medicine as outlined below:

1. Review the UW Medicine policies, standards and guidance regarding security and auditing requirements to comply with HIPAA and the BAA requirements.  Compliance with these policies and standards is required:

• UW Medicine HIPAA Security Policies
• UW Medicine Security Standards
• UW Medicine ITS Security Guidance

2. If you are not a member of the UW Medicine workforce you must follow the UW Medicine policies, standards and guidelines above.
3. Review the Human Subjects Division policies and procedures for use of PHI in research:

• PP-18 Use & Disclosure of Protected Health Information for Research
• See SOP HIPAA (HSD document #1824) for additional guidance.

4. Review and understand the AWS Shared Responsibility Model.
5. Review the  AWS HIPAA Compliance White Paper.
6. Review the NIST 800-66 resource guide.
7. Register your AWS Account as “HIPAA Eligible”.  You can do this in the DLT Portal during initial account setup, or later via email request to help@uw.edu including the following in the subject line or body:  “AWS”.
8. Ensure that you are encrypting PHI in transit and at rest.  Follow the UW Medicine encryption practices and encryption standards on the UW Medicine website referenced above.  This applies to units outside UW Medicine as well.   Further information can be found in the Health & Human Services publication, Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, and in the AWS White Paper in #9.
9. Ensure that you have enabled the highest level of audit logging provided by the AWS Service(s) you will be using, as described in the AWS HIPAA White Paper.  Retain these audit logs for the period defined by UW General Records Retention Schedule.
10. Review the Health & Human Services publication, Guidance on HIPAA and Cloud Computing.
11. Consider consulting UW-IT’s Cloud and Data Solutions group for assistance in architecting an appropriate solution for your workload, which may include consultation with AWS solutions architects.  Send email to help@uw.edu, asking for assistance using AWS for research.