There is a lot of confusion around using Amazon Web Services (AWS) for healthcare technology infrastructure. We constantly hear questions like, “Is it possible to get a business associate agreement (BAA) with AWS?” or, “Doesn’t AWS HIPAA Compliant services cost $1,500 per month?” With how opaque Amazon’s website is on the matter, and with the hidden pathways to actually signing a BAA with Amazon, it is no wonder there is so much uncertainty surrounding the AWS HIPAA Compliant Cloud.
We want to share with you what we have learned in our experience using AWS for healthcare.
Let’s start at the beginning.
AWS does offer HIPAA Compliant services, and you can sign a BAA with Amazon. At the time the post was written, there were 10 AWS HIPAA-eligible services: Snowball, DynamoDB, EBS, EC2, Elastic MapReduce, Elastic Load Balancing (ELB), Glacier, Relational Database Service (RDS) [MySQL, Oracle, PostgreSQL only], Aurora (MySQL-compatible only), Redshift, and S3. This list may mean nothing to you, but it will mean a lot to your software/IT partner, because it will set parameters around the architecture of your application.
What about cost?
Despite the rumors, AWS HIPAA Compliant services alone do not cost $1,500 per month. However, if you do not provide your own IT/DevOps personnel to configure, deploy, and maintain your environments, and you by default have AWS provide the service, it will cost you that kind of money. $1,500 per month is the typical rate for other solutions, Datica (formerly Catalyze.io) being a great example. If you are only paying for the infrastructure (EC2, RDS, S3) and not the servicing, it will cost you about $200 a month (assuming two environments). It is important to note that like any utility bill, this cost can increase or decrease over time depending on usage. Most likely, it will increase as your healthcare application gains more traction.
Why so expensive?
How does Amazon (or Datica) justify $1,500 per month? Short answer: Because they can. HIPAA is known for its unforgiving violation and enforcement policy, where a single violation or breach can cost $50,000, up to a maximum of $1.5 million. If a cloud service is truly promising to protect you from breaches and shield you from those fines, $1,500 per month seems reasonable. However–and this can’t be emphasized enough–if you have a competent IT/DevOps partner that understands HIPAA, has a strong Information Security policy in place, and can configure, deploy, monitor, and patch your environments, you can easily save $1,000 per month.
Now, how about that BAA?
Why can’t it be found on Amazon’s website? Amazon, unfortunately, decided to funnel healthcare leads through its sales department. In order to get a BAA signed with Amazon (which is required for HIPAA compliance) you need to contact the sales department and begin a conversation. Amazon presumably does this for two reasons: 1) To make sure you know what you are doing; and 2) To sell you the expensive $1,500 monthly services regardless. It is a convoluted process, but you have to endure it. Assuming you are going to have another partner or vendor spin up your infrastructure in AWS, and the sales rep understands this, then that sales rep will begin to act as an intermediary between the Amazon legal department and you.
How the Amazon Web Services BAA process works (as of 1/31/17):
- The Amazon sales rep will first initiate an NDA for you to sign. It will arrive within 48 hours via DocuSign.
- Once the NDA is signed and your sales rep receives it, they will submit it to Amazon legal along with a BAA request.
- You should then receive a “Review Only” BAA in 2-3 business days. This is a courtesy legal document, allowing you to know the terms.
- Once you are near production ready, you can request what is known as an “Executable BAA” from you sales rep. Once requested, it should take another 2-3 business days to receive.
- Once you sign and return the Executable BAA with Amazon, you are all set and HIPAA Compliant in the AWS Cloud.
Some lessons we have learned from this process:
- That first BAA is really for review only. Don’t try signing it and returning it.
- The signer of the BAA needs to hold an email address with the business domain for which the BAA will apply. For example, if your disruptive new healthcare app and business is called PatientXD, the signer’s email address needs to be email@example.com. It cannot be firstname.lastname@example.org.
- Similarly, the name on the Amazon account needs to be the business name in association with the BAA. Additionally, the email address on said Amazon account should be the email of the BAA signer.
What about the Datica solution?
We vetted Datica (at the time Catalyze) as an alternative to Amazon for one particular enterprise engagement. The difference with Datica is you cannot have an external vendor configure and deploy its services, like you can with AWS. It is certainly a trusted solution, but because we have our own incredible IT/DevOps partner, Datica wasn’t robust enough to justify the cost. But that’s for another discussion.
Hopefully, this post has shed some light on the journey towards HIPAA compliance utilizing AWS. So remember:
- AWS is a great solution for cloud hosting healthcare environments.
- HIPAA compliance with AWS doesn’t necessarily mean $1,500/mo, but it will if you don’t have an good IT/DevOps partner.
- You must go through a salesperson to get a BAA with Amazon in place.
Best of luck in your pursuit to improving healthcare!