Amazon S3 HIPAA Compliance

3 min read

Amazon S3 is the most popular cloud object storage service available. It is an affordable way for Amazon S3 users to store and retrieve any amount of data at any time or place. As with most AWS services, Amazon S3 is inexpensive, fast, and reliable. It is a great choice for file storage from mobile and web applications.

Amazon S3

Is Amazon S3 HIPAA Compliant?

Err… sort of. As it turns out, Amazon S3 is also one of Amazon’s HIPAA Eligible Services. Notice the wording of the terminology “HIPAA Eligible Service.” Amazon S3 is not always HIPAA compliant. In order for it to be HIPAA compliant, you must configure and use it in a HIPAA-compliant manner. This is the shared responsibility model that applies under a HIPAA Business Associate Agreement. Here are some steps you can take to use Amazon S3 securely to try to maintain HIPAA compliance.

Sign a Business Associate Agreement (BAA) with Amazon

As with any time that you are potentially storing protected health information (PHI) with a third-party company, you need to sign a BAA with Amazon. We recommend getting this process started so that you can have a HIPAA-compliant AWS account in a timely manner.

Set Appropriate Access Controls

Within a HIPAA-compliant infrastructure, only the people or applications that need access to certain data should have it. When it comes to Amazon S3, you should configure AWS Identity and Access Management (IAM) to control access levels to your Amazon S3 buckets. This will let you set granular permissions for what all of the people in your organization can do with your S3 buckets. By default, your S3 buckets should not be public, and people should not have access to them. Only grant access to the resources that people need.

Use S3 Presigned URLs

AWS Presigned URLs allow you to generate time-limited URLs for objects in your S3 buckets. We recommend always using pre-signed URLs when you can. When you are able to set an expiration date on the links for resources in your bucket, it adds one more layer of security in case a link to a resource containing PHI is leaked somehow.

S3 Backups and Restoration

It is best to have your HIPAA-compliant Amazon S3 buckets use Amazon S3 Glacier. With Amazon S3 Glacier, you can archive data and restore it when necessary. Maintaining records will prevent a loss of data.

Get Help with HIPAA Services

If you need help setting up Amazon S3 to be HIPAA compliant, Flatirons Development can help. We have experience setting up all sorts of HIPAA-compliant cloud services. We are also a HIPAA-compliant software vendor, and we can sign a Business Associate Agreement with your organization. Contact us for more information.

More ideas.

Popular Apps Built with Flutter

Flatirons Development

Jun 13, 2023

Top 10 Web Programming Languages for 2024

Flatirons Development

Jun 09, 2023

Vehicle Routing Optimization Algorithms

Flatirons Development

Jun 05, 2023

The Top Node.js Backend Frameworks

Flatirons Development

Jun 02, 2023

Flatirons Fuse: Branding our Importer

Flatirons Fuse

May 12, 2023

Pair Programming for Tech Interviews

Flatirons Development

Apr 24, 2023