undefined | Better HN

0 pointsscarface_743y ago0 comments

> Amazon to basically rubber stamp these architectures and solutions with a HIPAA BAA so that companies think they can call themselves "HIPAA compliant".

N-2 companies ago I was a tech lead in 2015 where we were migrating to AWS. AWS was constantly explaining which underlying services were HIPAA compliant and what you build on top of it was your responsibility. I had to answer to separate non AWS compliance folks about my architecture.

AWS also gave guidance. But made no promises that your implementation was compliant. That’s where the entire “shared responsibility model” comes in.

Now, I work at AWS in ProServe. I am very familiar with our messaging regarding HIPAA compliance. We are very careful not to rubber stamp things as compliant. I know the best practices in and out. But when I’m asked if something is compliant, I say this is the guidance we are given. I’ll do a presentation before an Architecture Review board. But I would never make anything that hints as a guarantee.

0 comments

2 comments · 1 top-level

kkielhofner2y ago· 1 in thread

Both anecdotal experiences but in my recent exercises with HIPAA compliance with AWS, etc they were nowhere near this explanatory/helpful.

The messaging/communication was more like what I described - "Oh yeah here's BAA you're good to go".

scarface_74OP2y ago

How large were your employers? If you have Enterprise support, you definitely get one or more TAMs dedicated to helping your company.

If you are a smaller organization, you may be able to request an SA.

My personal experience is from when companies pay for consulting hours from ProServe.

At the n-2 company I referred to above, the only thing we got from AWS is a BAA and we had an outside consulting company and compliance auditors. I was just learning AWS then.

j / k navigate · click thread line to collapse