- An Amazon job posting for a HIPAA Compliance Lead potentially indicates that the technology company is looking to expand into the healthcare space.
The individual hired for the healthcare privacy and security position will help Amazon in a “new initiative,” the posting stated.
“You will work alongside product managers, software developers, bizdev, and legal teams to ensure that our services are in compliance with HIPAA security and privacy requirements,” Amazon said.
The position will also require the individual to create “a HIPAA security and compliance program to ensure that technology and business processes meet our HIPAA Business Associate Agreement (BAA) requirements, as well as all applicable federal and state laws, regulations and standards,” Amazon added.
Employee education and training, monitoring and auditing, conducting and documenting investigations, addressing violations, and monitoring corrective actions must also be included in the security and compliance program.
The ideal candidate will also need to understand OIG compliance standards, in addition to how HIPAA privacy and security requirements “map to security standards such as ISO 27001, SOC 1/2/3, NIST 800-53 and others.”
Amazon has been inching into the healthcare space for some time. Reports first surfaced in July 2017 that Amazon started a secret skunkworks lab dedicated to healthcare IT to improve upon EHRs, telemedicine, and other upcoming health IT infrastructure opportunities.
Called 1492, the health IT team was set to work on interoperability among disparate EHR systems. This would simplify how healthcare organizations migrate to new EHR systems and help entities share data with other healthcare systems.
In November 2017, Amazon partnered with Cerner to help entities make better use of the data collected by patients and clinicians using Amazon Web Services Cloud (AWS).
CNBC reported that Amazon was hoping to expand its cloud services into the healthcare space.
Cerner first started utilizing AWS in 2016 for storage, compute, networking, databases, and disaster recovery.
“What the companies are set to unveil now is potentially much more significant, because it gives big medical institutions access to the HealtheIntent analytics engine at AWS speed and scale and with additional artificial intelligence technologies,” CNBC stated. “For example, a hospital that wants to analyze the likely outcome of a group of people in Australia could quickly set up a HealtheIntent project because AWS has locations across the Asia-Pacific region.”
As reported by HITInfrastructure.com, expanded healthcare public cloud options give major vendors the opportunity to work with health IT companies to build public cloud tools that can handle increasing amounts of data.
“Health IT public cloud tools can potentially give organizations that would not be able to afford on-premises deployments, custom tools, or on-site maintenance the opportunity to take advantage of advancing technology,” HITInfrastructure.com explained.
OCR also recently stressed the need for strong cloud security, especially as covered entities and business associates conduct risk analyses.
“Misconfigurations of file sharing and collaboration tools, as well as cloud computing services, are common issues that can result in the disclosure of sensitive data, including ePHI,” OCR explained in its June 2017 cybersecurity newsletter. “Too often, access, authentication, encryption and other security controls are either disabled or left with default settings, which can lead to unauthorized access to or disclosure of that data.”
Business associate agreements will also help ensure that each party will be “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
The newsletter also urged organizations to refer to OCR’s guidance on cloud computing that was released in 2016. The updated guidance focused largely on cloud service providers (CSPs).
“Among other things, the BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate,” the guidance stated. “The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule.”