Hacker News new | past | comments | ask | show | jobs | submit login

I believe it was already HIPAA compliant (or else I need to go into hiding).

The path to HIPAA compliance in AWS is just arrange to get a business agreement with Amazon.




Amazon's BAA allows you to use only approved services [1] to process, store, and transmit ePHI. The list isn't very long, it's currently just 10 AWS services, and it doesn't include some basic ones like SQS. RDS with PostgreSQL was just added to that list this week (Aurora was also added, which is neat because now that it has a PostgreSQL front-end, I have two reasons to play with it).

[1] https://aws.amazon.com/compliance/hipaa-compliance/


RDS was only HIPAA for MySQL and SQL Server. PostgreSQL certification is brand new and a huge deal for some of my projects.


So I suppose this means storing data in Postgres RDS is HIPAA compliant now by default? I am not an expert in this, but I do have to sit through a day of training every year for this.

You should probably be doing a bunch of other things to be HIPAA compliant in AWS, it's not just a box you check off.

In the past you could be HIPAA compliant and use Postgresql RDS by signing a business associate agreement and doing things like using dedicated instances in their own VPC.


So I suppose this means storing data in Postgres RDS is HIPAA compliant now by default?

At a minimum, you'd still have to sign that BAA with them. I mention that not for you, but for anyone else at home thinking "oh, I can deploy RDS/PostgreSQL and be OK with HIPAA without doing anything else!" That's (still) not the case.

In logic terms, this certification is necessary but not sufficient. It's not sufficient by itself, but it is a hard requirement because RDS hasn't been covered under their BAA up until the last day or so. That is, it wasn't covered the last time I checked, maybe a week ago, but it is now today. This was confirmed by our AWS tech reps when we recently talked to them: they absolutely did not HIPAA certify PostgreSQL the last time we asked about it. And oh, how I promise you we talked about it.

In the past you could be HIPAA compliant and use Postgresql RDS by signing a business associate agreement and doing things like using dedicated instances in their own VPC.

Citation needed. We were told multiple time by our reps and solution architect that RDS+PostgreSQL was not certified in any way. The only AWS options we had for HIPAA PostgreSQL were 1) hosting our own instance (that is, not using RDS in any way, just plain old EC2) or 2) paying a third party for managed PostgreSQL hosting.


In the past (before this week), if you were storing ePHI in RDS with PostgreSQL, you weren't following the terms of the BAA.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: