This is not entirely correct. AWS does offer AWS GovCloud which, provides an environment that enables agencies to comply with HIPAA regulations [1]. You have to be a US government organization to use it though.
Updated: AWS also has a whitepaper on Creating HIPAA-Compliant Medical Data Applications with AWS [2]. Looks like this is support on the standard non GovCloud stack.
The trouble with HIPAA requirements is that they're not clearly defined and are open to a variety of interpretations.
Our experts advise a safe, CYA approach and mandate a BAA agreement is in place with every partner touching sensitive patient data, even if encrypted and protected on multiple levels. Thus far Amazon is not accommodating to such a request.
Other's have their own opinions and, in the end, we all weigh the risks vs rewards (including Amazon itself - I'm sure they've plenty of reasons of operating in their present gray area).
I worked for a major hospital once and they were all about the CYA agreements. The funny thing was the HIPPA is more a state of mind, not a 100 point punch list. So you're really just practicing CYA more than anything else.
I don't believe you need to be a US government organization to use the GovCloud region. I think you just have to be a US corporation or person and pay through the nose. It's only available directly via signing an actual contract, not a la carte like normal AWS services.
As of March 2013 (two years past those publish dates), Amazon has still not agreed to the legal "Business Associate Agreement" provisions of HIPPA that would permit you to use their services to store Protected Health Information. They said they are considering it, but this has been the status for quite some time. Rackspace, on the other hand, has agreed (for a surcharge).
According to Amazon, their employees are not allowed to access to your data, so you don't need to sign a business associate agreement with them to be HIPAA compliant. I imagine this is similar to how sending patient information through the post office is not considered a disclosure to the post office.
Actually the HMO I worked for did. Every vendor such as ISP's, Colo's, and some API suppliers had to sign the CYA agreement. Most of them are aghast when you ask them to sign. Basically they have to take on all of the liabilities. I've never seen it have to be exercised however.
Do you sign business associate agreements with your colo facility, ISP, and landlord? They also are physically capable of accessing your data, even though they are legally or contractually forbidden from doing so.
The orgs that I have worked with draw the line somewhere between colo and ISP. Anyone with potential access to unencrypted network traffic or whom is operating equipment containing affected data. Usually the lawyers can agree to contractural terms for the landlord without a BAA
I'm not arguing that it makes sense, just that it happens.
And there are plenty of health care companies that evaluate AWS and decide they don't need a BAA, due to the way the system is constructed. This is a 'your legal team' issue, not a global issue (ie: it's an issue, but not a blanket problem for everybody).
While the compliance and security links are impressive, AWS still doesn't offer a BAA agreement for HIPAA/HITECH compliance.
There are plenty of health care companies that are held back from AWS for this single reason.
Surprisingly enough Microsoft is leading in this respect (or not, given their historical enterprise focus...) - http://www.windowsazure.com/en-us/support/security-and-compl...