HIPAA defines seven rules. In a self hosted setting such as with LightTag-on-AWS the majority of the rules govern your organizations practices and processes which are independent of LightTag-on-AWS. More specifically, HIPAA deals with a "covered entity" dealing with PHI. When using LightTag-on-AWS your organization (and AWS) are the only covered entities.
With that in mind, the HIPAA security rule defines four Technical Safeguards which are detailed below with information about how LightTag-on-AWS addresses them.
Access Control
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI)
LightTag and LightTag-on-AWS implement modern authentication and authorization processes.
Audit Controls
A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25
LightTag-on-AWS addresses HIPAA Audit Controls in two ways.
First, our logging infrastructure records every request made to LightTag-on-AWS.
Second, LightTag's datastore follows an immutable append-only pattern such that the sequence of access, appends. updates etc. is always available.
Integrity Controls
A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed
As mentioned with regards to Audit Controls, LightTag's datastore follows an immutable append-only pattern such that the sequence of access, appends. updates etc. is always available.
Transmission Security
A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Transmission security is your responsibility. In particular, it is your responsibility to implement SSL. For information on how to do so please so see our SSL guide