AWS Partner Network (APN) Blog
How hc1.com Architects for HIPAA Compliance in the Cloud
Aaron Friedman is a Healthcare & Life Sciences Partner Solutions Architect with Amazon Web Services
An individual’s relationship with his or her doctor and caregivers is of utmost importance – especially when serious health problems arise. Yet patients can easily end up feeling like they are just a number, rather than an important customer, as they traverse the many siloes that make up a patient’s journey.
The hc1® Healthcare Relationship Cloud® was designed from the ground up to enable healthcare organizations to deliver the unified, personalized, superior service that all patients deserve. While healthcare entities store an abundance of data at both the provider and patient level, the challenge lies in quickly transforming massive volumes of disconnected clinical, diagnostic, billing, and preference data into holistic profiles that span providers and patients to foster a five-star service experience.
High quality health outcomes delivered at the lowest possible cost are central to the patient-provider relationship. It is critical for today’s healthcare organizations to establish a flexible and secure healthcare IT solution that brings the important issues requiring attention into focus in real-time. hc1.com realized very early on that in order to deliver the best customer experience possible, they needed to put the patient at the center and enable visibility across the healthcare spectrum. “The decision to build our solution on the cloud was deliberate,” according to hc1.com’s SVP of Technology, Laura Breedlove. “We did not want to be in the data-center business. Instead, we wanted to focus on delivering differentiating business value to healthcare. AWS made it easy for us to build a secure, highly available platform, while also providing agility to adapt to the evolving needs of our customers. We do all of this on AWS while maintaining the appropriate compliance standards.”
Securing protected health information (PHI) is paramount for hc1.com. The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes protocols for working with PHI for both covered entities and their business associates. hc1.com has the flexibility to use the HIPAA-eligible services on the AWS Cloud under the AWS Business Associate Addendum (BAA) and in accordance with our guidance.
The hc1 platform
Per the AWS BAA, only HIPAA-eligible AWS services may touch PHI in hc1.com’s platform. One of the things that I love about how hc1.com has built their platform on AWS is how they have taken care to understand which portions of their application store, process, and transmit PHI, and are therefore subject to the BAA. For the remaining portions of their platform, they leverage the full suite of AWS services to deliver the best possible experience to their customers. Here is a diagram of the services utilized by their platform:
Through the array of AWS’ HIPAA-eligible services, hc1.com is able to address many of the core needs for their platform, which I understand was designed as follows:
Storage and Archival: hc1.com uses a tiered storage strategy to reduce costs while securing their data. All of the data in their Amazon S3 buckets is encrypted and over time archived to Amazon Glacier.
High Availability and Resiliency: Elastic Load Balancing securely distributes web traffic to encrypted Amazon EC2 instances over multiple Availability Zones within an AWS Region. Also, many of our partners are moving to a microservices-based architecture to allow for better resiliency in their applications. hc1.com uses Amazon ECS to orchestrate Docker containers on Amazon EC2 that run these microservices. All PHI is processed on Amazon EC2 to remain compliant with the BAA.
Rapid Data Retrieval: Realizing the value of not configuring and managing a database themselves, hc1.com is actively converting to Amazon RDS services for their database tiers. As the stored data often contains PHI, these databases are all encrypted at rest.
Data Warehousing and Analytics: Amazon Redshift is a fully-managed data warehouse that is a HIPAA-eligible service under our BAA. hc1.com encrypts their Amazon Redshift clusters and can quickly and cost-effectively analyze all of their data.
Security: In addition to the services shown above, hc1.com leverages AWS’ full suite of DevSecOps services including Amazon CloudWatch and AWS CloudTrail for logging, AWS Identity and Access Management for authorization, and AWS Key Management Service for key management. None of these services touch PHI on their platform.
In areas where PHI is not involved in the application, hc1.com uses additional AWS services to deliver the best possible value to their customers. Amazon CloudSearch is used to enable customers to search non-PHI data quickly and easily and Amazon CloudFront to distribute non-PHI images to their customers. They have built in custom logic designed to prevent these services from touching PHI, and they contract annually with a third-party to perform a HIPAA risk assessment to ensure appropriate control mechanisms are in place.
Remaining agile in a compliant world
As additional services are added to the AWS BAA and can then be used to store, process, and transmit PHI, hc1.com evaluates each service to determine how they can leverage these new capabilities. hc1.com removes all PHI for its development and test cycles which allows for rapid innovation on AWS services to allow for faster time-to-market when AWS announces new HIPAA-eligible services.
Speed and cost of our services are always important design principles for Healthcare Partners as they look to enhance the customer experience. Amazon Aurora is a MySQL-compatible database that delivers increased performance at a fraction of the cost. At re:Invent 2016, we announced Amazon Aurora (MySQL-compatible) is now HIPAA-eligible. Without having to make any updates/sign new paperwork, hc1.com can take advantage of this new capability under our BAA and is actively evaluating a switch from their MySQL instances to Aurora.
Deriving insights without sacrificing security
One of the byproducts of focusing on the customer experience and delivering real-time, unified healthcare data to their users is that hc1.com has built a high-fidelity, aggregated data set that they can mine for new insights. Through live processing performed in a proprietary data refinery, hc1 Insight™ delivers actionable information through the aggregation, connection and modeling of healthcare data, while the hc1 Healthcare Relationship Management (HRM) platform facilitates effective healthcare consumer engagement, coordination and education across the continuum of care.
hc1 Insight™ connects and organizes vast volumes of data as an on-demand data information service platform to create rich patient and provider profiles, uncover hidden relationships, produce actionable intelligence, and positively influence behavior by automating the process of tracking behavior patterns and communicating the behavior patterns across providers, patients, consumers, payers, healthcare organizations, and employers. hc1 Insight, also natively built on AWS, provides elastic, scalable compute resources to meet constantly growing data volume requirements, all while adhering to the appropriate regulatory requirements. Through this elasticity, hc1 Insight utilizes proprietary master data management to drive additional enhanced data relationships between patients, providers and other unique data elements. These combined platform capabilities enable hc1 Insight to deliver a value that is differentiated and powerful for all healthcare entities.
By using AWS, hc1.com has been able to easily integrate the appropriate analytics tools to their existing platform. While their data currently resides in a data warehouse on HIPAA-eligible Amazon Redshift, they can also analyze with Amazon EMR (also HIPAA-eligible), or our newly launched managed interactive query service, Amazon Athena for non-PHI data.
Conclusion
Security and compliance should always be at the forefront of your mind when developing applications that incorporate patient data. While this means that you will have to take certain extra steps to confirm compliance under the appropriate regulatory entities, you do not have to do so at the expense of the patient-provider relationship. As an APN Healthcare Competency Partner, hc1.com has demonstrated that they understand both the security and compliance requirements for HIPAA workloads while still providing excellent value to their customers. By leveraging AWS services, laboratories, hospitals, and post-acute care networks running their business have a cloud platform optimized for performance, scalability, and security, all essential elements in a value-based care delivery model.
If you’re interested in learning more about how AWS can add agility and innovation to your healthcare and life sciences solutions be sure to check out our Cloud Computing in Healthcare page. Also, don’t forget to learn more about both our Healthcare and Life Sciences Competency Partners and how they can help differentiate your business.