164.312(a)(2)(iv) - Access Control — Encryption and Decryption - Implement a mechanism to encrypt and decrypt electronic protected health information.


Under HIPAA, encryption of data is ""addressable,"" meaning that it must be implemented when reasonable and appropriate. If it is not, then a covered entity or business associate may document that it is not reasonable and appropriate, and implement an alternative equivalent measure if reasonable and appropriate. 

Although addressable under HIPAA, the customer is required under the AWS Business Associate Addendum (BAA) to encrypt all PHI in-transit or at-rest, either through server-side encryption or client-side encryption, in order to minimize risk to both the customer and AWS under HIPAA and other laws.

The customer is responsible for employing any file encryption/decryption tools, PKI system, Amazon KMS , Amazon CloudHSM, etc. to provide any other encryption/decryption or key management capabilities required by the organization. By default, the Amazon ELB cipher suite does not allow the older and less secure RC4 encryption. If Windows XP and IE6 are needed, an older cipher suite must be enabled within the load balancer listener HTTPS cipher settings.


With respect to encryption of data at-rest, this architecture employs AES-256 Server Side encryption in S3 and RDS databases, as well as for full disk encryption of an EBS data volume that is attached to the application/web server EC2 instances, to support the capability of storing ePHI on a local volume if required.

While this architecture includes secondary encrypted volumes for EC2 instances, the customer is responsible for configuring the system to use that volume according to organizational requirements, such as for the paging file, system logging, and application logs to the secondary drive to prevent any spillage of ePHI on a non-encrypted volume.

Impact of Resource Type(s):