Currently, the Health Information Trust Alliance Common Security Framework (HiTRUST CSF) certifies 64 Amazon Web Services (AWS) services. These HiTRUST-certified services include Amazon Elastic Compute Cloud, Amazon EMR, Amazon Redshift, and AWS Managed Services.

The HiTRUST certification lets AWS customers customize their security control baselines to many factors, including regulatory requirements and type of organization.

The CSF is “a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management,” according to HiTRUST.

HiTRUST developed the CSF framework in collaboration with health care and information security professionals. The CSF brings together the security controls from federal law, including HIPAA (Health Insurance Portability and Accountability Act), state law, and industry standards, such as PCI-DSS (Payment Card Industry Data Security Standard), into one framework geared toward use in the health care industry. 

Organizations can use the HiTRUST framework to comply with these other compliance standards:

  • HIPAA compliance 
  • PCI-DSS 
  • ISO/IEC 27000 series (comprising information security standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission)
  • NIST (National Institute of Standards and Technology) standards

To help customers comply with HIPAA and/or HiTRUST, AWS gives them access to AWS tools and services to protect the security and privacy of their protected health information (PHI) and personally identifiable information (PII). 

According to Amazon, more AWS customers, especially health care payers, are using the AWS Cloud to ensure compliance with HIPAA and HiTRUST.   Amazon Web Services offers its customers a Business Associate Addendum (BAA), a contract that is required under HIPAA rules to ensure that AWS appropriately safeguards their protected health information.

The BAA provides a list of HIPAA-eligible services that customers can use to process, store, and transmit protected health information under the BAA.