What makes the app HIPAA + FERPA Compliant?

Updated: Apr 30

Our AWS EC2 Instance is encrypted. No one can use it without the MyKeyStore.pem file. All of our code is placed inside the encrypted directory. Our code is placed in a private repository on Bitbucket.org. Only we have complete access to the code.


No one can deploy the code without the AWS Sign-In Password and Username. The FTP server also cannot be connected without the MyKeyStore.pem file.


In our EC2 instance on AWS, we have only enabled secure communication options such as HTTPS-based or TCP/SSL-based to protect the confidential PHI data for the end-to-end communication, and all the list of PHI data is encrypted.


To access the RDS database the MyKeyStore.pem file is also required.


We are using the SHA-256 Cryptographic Hash encoding method. If we have a message “hello how are you”. Its encrypted form is “f5bf53fcd6980fedeb2495657a489cd10f5fef01b52de3e309d42dca10908948“.All the data of users is encrypted. No one can decrypt the data without the key. We had our private key for this.


All the data which is passing through the internet gateway whether it is on Website or Mobile application is encrypted.


We use Indirection strategy. When a new object containing PHI is written to S3 via S3 Transfer Acceleration, an S3 trigger signals AWS Lambda to write the appropriate metadata to an Amazon SQS queue. A service running on Amazon EC2 polls the SQS queue, and if new data is available, pulls the PHI data from S3. A second Lambda function triggers a mobile alert, notifying that processing of data has begun. In this example only S3 and EC2 are used to store, process, and transmit all PHI data; Lambda and SQS are only used to orchestrate services or notify when jobs should begin.