Blog Home
By Stephanie Musal • December 20, 2016

Why AWS Doesn't Make You fully HIPAA Compliant

What is AWS?

Amazon Web Services, also known as AWS, offers a suite of cloud computing services. They offer database storage, content delivery and other functionality to help businesses scale and grow digitally. While AWS is a subsidy of Amazon, there are also a number of other competitors in this space with a similar offering, including Google Cloud.

Why AWS doesn't make you fully HIPAA Compliant

AWS and Google Cloud extend their BAA to anyone who builds on them. While this is a wonderful step in the right direction, it is important for developers and healthcare investors to understand that this still leaves them responsible and vulnerable to HIPAA breaches, fines, and prosecutions.

Some Mobile Backend as a Service (mBaaS) companies boast that they provide a compliant platform basing their claims on their reliance on Google Cloud and AWS, who offer a Business Associates Agreement (BAA) to partners.The BAA protects these providers from being sued in cases of breaches with global infrastructure and the actual storage and database of the cloud as opposed to data in the cloud. Meaning it fails to account for the possible vulnerabilities in either physical or programmatic security within their own organizations.

There are mBaaS companies that hosts their offering in a HIPAA compliant cloud available to everyone and anyone. When they say they have “partnered” with Google or AWS the mBaaS company actually mean they have just created a username and password for their infrastructure.

Many mBaaS companies have looked at this BAA method as the foundation of their offering. This is not only immoral but also leaves healthcare organization and patient data vulnerable.

What are you responsible to become compliant for?

As someone using Google Cloud or AWS, it is important to note that you are still responsible and liable for customer data, platform, applications, identity and access management, operating system, network, and firewall configuration, client-side data encryption and data integrity authentication, service-side encryption and network traffic protection.

What happens if you fail to comply with HIPAA regulations in the Cloud?

Besides losing all of your customer base and exposing your organization to legal action there are also criminal and civil penalties including fines of $250,000 and imprisonment for up to 10 years.

Why CloudMine is compliance-obsessed

CloudMine recognizes the complexity of compliance and has already incurred the costs of R&D and licensing with 3rd party vendors to make sure things like firewalls, encryption and vulnerability scanning are already part of our offering.

There are already so many roadblocks in healthcare innovation and funding, we’re here to help expedite your development. We would never want to mislead you by claiming a partnership with AWS and promise compliance that isn’t backed by a 3rd party vendor.

At CloudMine we are compliance obsessed healthcare geeks, and we’re excited to help you make a difference in the world. Our BAA covers what’s of and in the cloud that way you can keep focusing on changing lives.


Interested in learning more about HIPAA compliance? Download our ABC's of HIPAA ebook here