MLLP (Minimal Lower Layer Protocol)
MLLP is the most common transport protocol for HL7 v2.x messages over TCP/IP. It provides a simple framing mechanism that allows receiving systems to identify message boundaries in a stream of data. MLLP wraps HL7 messages with special delimiter characters to mark the start and end of each message frame.
MLLP Frame Structure
MLLP frame delimiters
| Element | Hex | Meaning |
|---|---|---|
| Start Block | 0x0B | Vertical Tab, frame start |
| Payload | variable | HL7 message bytes |
| End Block | 0x1C | File Separator, end prefix |
| Terminator | 0x0D | Carriage Return, frame end |
Raw bytes visualization: start byte 0B, then HL7 payload bytes (for example 4D 53 48 7C 5E 7E 5C 26 7C ...), then end bytes 1C 0D.
MLLP Connection Sequence
Typical MLLP interaction opens a TCP socket, sends a framed HL7 payload, waits for a framed ACK, and then closes the connection.
MLLP connection sequence
Loading diagram...
All communication occurs over TCP/IP with MLLP framing around each HL7 message.
AWS B2B Data Interchange for HL7
Managed HL7 v2 processing on AWS with MLLP support
AWS B2B Data InterchangeMLLP-Framed ADT Message
Example HL7 v2.x message with MLLP framing bytes. The message content is wrapped between start (0x0B) and end (0x1C0D) delimiters.
Click on a segment above to highlight its fields
Hover or click any field value for detailed explanation
MLLP Implementation Best Practices
Connection Management
- Use persistent TCP connections for high-throughput scenarios.
- Implement connection pooling for multiple concurrent interfaces.
- Set appropriate TCP keepalive intervals (typically 30-60 seconds).
- Handle connection failures gracefully with exponential backoff.
Buffer Management
- Use a circular buffer for streaming message processing.
- Set maximum message size limits (typically 10MB-100MB).
- Implement timeout detection for incomplete frames.
- Validate frame delimiters before processing message content.
Error Handling
- Log raw bytes when frame validation fails.
- Implement circuit breaker patterns for repeated failures.
- Maintain a dead-letter queue for unprocessable messages.
- Alert on connection drops and reconnection events.
ACK Choreography and Reliability
Acknowledgment (ACK) messages are critical for reliable HL7 v2.x communication. They confirm receipt and communicate whether processing succeeded or failed.
ACK status codes
| Code | Meaning | Typical handling |
|---|---|---|
| AA | Application Accept | Message received, validated, and processed successfully. |
| AE | Application Error | Temporary or processing error; often retryable. |
| AR | Application Reject | Validation/business rule failure; usually non-retryable. |
Synchronous ACK Pattern
Synchronous communication where sender waits for ACK
Loading diagram...
Best for low-latency, high-reliability scenarios where ordering is critical. Typical ACK timeout is 10-30 seconds with exponential backoff retries.
Asynchronous ACK Pattern
Asynchronous sender pipeline
Loading diagram...
Best for high-throughput scenarios where senders continue producing while waiting for ACK tracking in a durable queue.
Common ACK Error Scenarios
AE - Application Error (Retryable)
Temporary receiver errors (for example database deadlock or timeout) should trigger bounded retries with exponential backoff, then escalation after max attempts.
AR - Application Reject (Non-Retryable)
Validation failures (for example missing required fields) should not be retried blindly. Route to error queues, notify source owners, and fix upstream data.
Timeout - No ACK Received
Investigate receiver availability and network connectivity first; retries can create duplicates, so idempotency checks are required.
Security and TLS Controls
Securing HL7 v2.x communications is essential for HIPAA compliance and protecting sensitive patient health information (PHI).
TLS 1.3 Requirements
TLS 1.3 baseline
| Category | Details |
|---|---|
| Mandatory cipher suites | TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256 |
| Security benefits | Reduced handshake latency (1-RTT), forward secrecy by default, removal of legacy algorithms, and better downgrade resistance |
Certificate Management
Mutual TLS (mTLS)
Both client and server present certificates for authentication. This is required in high-security environments and recommended for production HL7 interfaces.
AWS HIPAA Compliance for HL7
AWS HIPAA-eligible services for healthcare workloads
AWS HIPAA Compliance- Verify certificate chain to a trusted root CA.
- Check certificate expiration dates.
- Validate subject/SAN values against expected endpoints.
- Implement certificate pinning for critical interfaces.
HIPAA Compliance Requirements
Technical Safeguards (45 CFR 164.312)
- Access control: unique user IDs, emergency access, automatic logoff.
- Audit controls: log all PHI access and modifications.
- Integrity: authenticate ePHI with checksums or signatures.
- Person or entity authentication for communicating parties.
- Transmission security with TLS 1.2+ (prefer TLS 1.3).
Audit Logging Requirements
- Message send and receive timestamps.
- Source and destination endpoints.
- Message types and control IDs.
- ACK status codes.
- Error conditions and retries.
- Retention period typically six years or more.
Encryption Standards
- In transit: TLS 1.3 (minimum TLS 1.2).
- At rest: AES-256 encryption.
- Key management: FIPS 140-2 Level 2+ HSMs.
- Key rotation at least every 90 days.
Cloud Architecture Pattern (AWS Example)
Modern HL7 v2.x implementations often use cloud infrastructure for scalability, reliability, and cost-effectiveness. This section captures architecture patterns for handling MLLP traffic at enterprise scale.
MLLP -> Kinesis -> Serverless Pattern
CHOP Reference Architecture
Real-time Analytics on Patient Bedside Medical Devices
Based on Children's Hospital of Philadelphia processing around 4000 HL7 messages per minute.
CHOP real-time HL7 ingestion architecture
Loading diagram...
The AWS figure is deliberately simple: source system, secure network path, integration service, target workload. The CHOP diagram above is one richer realization of that same transport boundary when HL7 traffic fans into analytics and downstream processing.
- AWS Fargate hosts Apache Camel MLLP connector to receive HL7 v2.x from patient monitors.
- Amazon Kinesis Data Streams ingests raw HL7 messages for real-time processing.
- Amazon Managed Flink parses HL7 messages and extracts patient vital signs.
- Amazon Timestream stores time-series vital signs for real-time dashboards.
- Amazon Redshift supports analytics through warehousing and materialized views.
- Amazon S3 provides long-term archive via streaming delivery.
Production scale note: CHOP processes around 4000 messages per minute with HIPAA controls (TLS in transit and KMS-managed encryption at rest).
Alternative: HL7v2 -> FHIR -> Amazon HealthLake
AWS Public Sector - HL7v2 to FHIR modernization with AI/ML analysis
HL7v2 to FHIR modernization with HealthLake
Loading diagram...
- On-premises EHR sends HL7v2 ORU messages (diagnostic imaging and lab results).
- AWS Site-to-Site VPN encrypts traffic over public networks.
- Network Load Balancer distributes MLLP connections to Fargate.
- AWS Fargate with Apache Camel receives and acknowledges HL7v2 messages.
- Amazon SQS decouples ingestion from conversion for independent scaling.
- AWS Lambda converts HL7v2 ORU into FHIR bundles.
- Amazon HealthLake ingests FHIR and supports AI/ML and NLP analysis.
Key Benefits
- Transforms unstructured clinical text into searchable insights.
- Supports terminology mapping (for example ICD-10-CM and RxNorm) using Comprehend Medical.
- HIPAA-eligible and FHIR-native platform with AI/ML capabilities.
- Serverless operations reduce infrastructure management overhead.
- Supports population health analytics and clinical decision support.
Use case: organizations that want to unlock insight from unstructured clinical reports using AI/ML and need FHIR interoperability.
HAProxy Configuration for MLLP
global
maxconn 4096
log /dev/log local0
defaults
mode tcp
timeout connect 5s
timeout client 30s
timeout server 30s
frontend mllp_frontend
bind *:2575
default_backend mllp_backend
backend mllp_backend
balance roundrobin
server hl7-server-1 10.0.1.10:2575 check
server hl7-server-2 10.0.1.11:2575 check
# Health check for MLLP
option tcp-checkHAProxy provides TCP load balancing for MLLP connections, enabling high availability and horizontal scaling of HL7 interface engines.
DynamoDB State Tracking
DynamoDB can track message lifecycle state to support idempotency and exactly-once processing behavior.
DynamoDB message state model
| Field | Value |
|---|---|
| Partition Key | messageControlId (String) |
| status | RECEIVED | PROCESSING | COMPLETED | FAILED |
| receivedAt | ISO 8601 timestamp |
| ackStatus | AA | AE | AR | PENDING |
| retryCount | Number (0-5) |
| ttl | Unix timestamp for auto-expiry |
Processing Patterns: Lambda vs. Fargate vs. Flink
AWS Lambda (Event-Driven)
Best for HL7-to-FHIR conversion, message validation, and lightweight transformations. Serverless, pay-per-execution, 15-minute timeout, commonly triggered by SQS/Kinesis/EventBridge.
AWS Fargate (Container-Based)
Best for MLLP connectivity and long-running TCP workloads using existing integration engines (for example Apache Camel). Supports persistent connections and no short function timeout constraints.
Amazon Managed Flink (Stream Processing)
Best for high-volume real-time processing, stateful analytics, and complex event processing. Suitable for thousands of messages per minute with exactly-once semantics.
Architecture Selection Guide
Choose Lambda for lightweight transforms, Fargate for MLLP ingestion/connectivity, and Flink for high-volume analytics. Hybrid patterns are common: Fargate for ingestion and Lambda/Flink for processing.
HLLP Protocol Variant
Hybrid Lower Layer Protocol (HLLP) extends MLLP by adding checksum validation to the framing layer. While MLLP provides basic message boundary detection, HLLP adds integrity verification to detect corruption during transmission.
HLLP Frame Structure with Checksum
HLLP frame components
| Element | Hex | Purpose |
|---|---|---|
| Start Block | 0x0B | Vertical Tab, frame start (same as MLLP) |
| Payload | variable | HL7 message bytes |
| Checksum | 2 bytes | CRC-16 or XOR checksum of payload |
| End Block | 0x1C | File Separator, end prefix |
| Terminator | 0x0D | Carriage Return, frame end |
MLLP vs HLLP Trade-offs
Protocol comparison
| Aspect | MLLP | HLLP |
|---|---|---|
| Overhead | Minimal (3 bytes framing) | Slightly higher (5+ bytes with checksum) |
| Integrity Check | None (relies on TCP) | Checksum validation at framing layer |
| Adoption | Industry standard, widely supported | Limited, vendor-specific implementations |
| Use Case | General HL7 v2.x transport | High-reliability environments with corruption risks |
When to Use HLLP
HLLP is beneficial in environments with known network reliability issues, long-distance transmissions, or regulatory requirements mandating transport-layer integrity checks. For most modern networks with reliable TCP/IP, standard MLLP with TLS provides sufficient protection.
Synchronous Blocking Risks
Synchronous MLLP communication patterns introduce significant risks in high-volume healthcare environments. Understanding these failure modes is critical for designing resilient interfaces.
Cascading Failure Scenarios
When a downstream receiver becomes slow or unresponsive, synchronous senders block waiting for ACK responses. This creates a cascade effect:
- Receiver processing slows due to database lock or resource contention.
- ACK responses are delayed beyond timeout thresholds.
- Sender threads remain blocked waiting for ACKs.
- Sender thread pool becomes exhausted.
- Upstream systems cannot submit new messages.
- Message queues back up across the entire integration chain.
- Clinical workflows are disrupted (ADT updates, lab results, orders).
Real-World Impact
A major hospital network experienced a 4-hour outage when a single slow interface (radiology results) exhausted the shared thread pool, blocking critical ADT messages from reaching the billing system.
Cascading failure due to synchronous blocking
Loading diagram...
Thread Pool Exhaustion Pattern
// Synchronous sender with fixed thread pool
const THREAD_POOL_SIZE = 50;
const ACK_TIMEOUT_MS = 30000;
// Scenario: Receiver takes 45 seconds to respond
// Result: All 50 threads blocked after 50 messages
// New messages queue indefinitely until timeoutBackpressure Patterns
Implement backpressure mechanisms to prevent cascading failures:
- Asynchronous send with durable queues (SQS, Kafka, RabbitMQ).
- Circuit breaker patterns with automatic fallback modes.
- Priority queues for critical message types (ADT > ORU > ORM).
- Dynamic thread pool sizing based on ACK latency metrics.
- Bulkhead isolation between interface endpoints.
- Graceful degradation with local queue spillover.
Backpressure flow with circuit breaker
Loading diagram...
Sequence Number Handling
HL7 v2.x includes sequence number tracking in MSH-13 (Message Sequence Number) for message ordering and duplicate detection. Proper handling prevents data integrity issues in high-volume environments.
MSH-13 Field Structure
MSH-13 sequence number field
| Position | Name | Type | Usage |
|---|---|---|---|
| MSH-13 | Message Sequence Number | NM (Numeric) | Optional |
| MSH-14 | Continuation Pointer | ST (String) | Optional |
| MSH-15 | Accept Acknowledgment Type | ID (Coded) | Optional |
| MSH-16 | Application Acknowledgment Type | ID (Coded) | Optional |
Lax Sequencing Timeout Pattern
In practice, strict sequence number enforcement causes issues when messages are retried or sent out of order. The "lax sequencing" pattern allows tolerance for minor sequence gaps:
- Accept messages within a configurable sequence window (e.g., ±5 messages).
- Track last processed sequence number per sending application.
- Flag out-of-sequence messages for audit review rather than rejection.
- Implement timeout-based sequence reset (e.g., reset counter after 24 hours of inactivity).
- Use MSH-10 (Message Control ID) as primary deduplication key instead of sequence numbers.
.SEQNTFY Error Queue Pattern
Some interface engines (e.g., Rhapsody, Cloverleaf) implement a .SEQNTFY error queue for sequence violations. Messages triggering sequence anomalies are routed to this queue for manual review rather than being rejected outright. This pattern balances integrity requirements with operational flexibility.
Lax sequencing processing logic
Loading diagram...
Sequence Number Best Practices
- Increment sequence numbers per unique MSH-5/MSH-3 (sending application/facility) pair.
- Reset sequence counters daily or per batch cycle.
- Log sequence gaps greater than threshold for investigation.
- Do not reject messages solely based on sequence number anomalies.
- Use MSH-10 (unique control ID) for idempotency and deduplication.
Dual Acknowledgment Deep-Dive
Enhanced acknowledgment patterns provide additional reliability guarantees for critical healthcare transactions. Dual acknowledgment separates transport-level receipt from application-level processing confirmation.
Commit ACK + Application ACK Pattern
Two-phase acknowledgment ensures messages are both received and processed:
- Commit ACK (Transport Layer): Immediate acknowledgment confirming message receipt and syntactic validation.
- Application ACK (Business Layer): Deferred acknowledgment confirming successful business processing (e.g., database commit, downstream notification).
Dual acknowledgment flow
Loading diagram...
MSH-15/MSH-16 Acknowledgment Configuration
Acknowledgment type codes
| Code | Meaning | Behavior |
|---|---|---|
| AL | Always | Send ACK for every message (recommended) |
| NE | Never | No ACK sent (fire-and-forget) |
| ER | Error | Send ACK only on error conditions |
| SU | Success | Send ACK only on successful processing |
Async ACK Routing
For deferred application acknowledgments, implement an async callback mechanism (webhook, message queue, or separate HL7 ORU response) to notify the sender of final processing status. This pattern is common in lab result interfaces where processing may take minutes to hours.
SIEM Integration and Anomaly Detection
Security Information and Event Management (SIEM) integration provides real-time monitoring and threat detection for HL7 v2.x interfaces. Healthcare systems are high-value targets requiring proactive security monitoring.
Anomaly Detection Patterns
- Unusual message volume spikes (potential DDoS or data exfiltration).
- Unexpected message types from known interfaces (e.g., ORM from ADT-only source).
- After-hours transmission patterns deviating from baseline.
- Repeated authentication failures or mTLS handshake errors.
- Messages with suspicious patient demographics (synthetic data testing in production).
- Geographic anomalies (connections from unexpected IP ranges).
Traffic Spike Monitoring
Implement threshold-based alerting for message volume anomalies:
SIEM alert thresholds
| Metric | Warning Threshold | Critical Threshold | Response |
|---|---|---|---|
| Messages/minute per interface | >200% of baseline | >500% of baseline | Investigate source, consider rate limiting |
| ACK timeout rate | >5% of messages | >20% of messages | Check receiver health, enable circuit breaker |
| Failed mTLS handshakes | >10/hour | >50/hour | Investigate potential reconnaissance attack |
| AR (reject) rate | >10% of messages | >30% of messages | Notify sending system, check for data quality issues |
Failed mTLS Handshake Alerts
Mutual TLS handshake failures indicate potential security threats:
- Expired or revoked client certificates.
- Certificate chain validation failures.
- Hostname/SAN mismatch attacks.
- Protocol downgrade attempts (TLS 1.3 to TLS 1.0).
- Cipher suite negotiation failures (weak cipher attempts).
SIEM Log Format
Standardize HL7 interface logs in CEF (Common Event Format) or LEEF (Log Event Extended Format) for SIEM ingestion. Include message control ID, sending/receiving applications, ACK status, and processing latency in every log entry.
Splunk Query Examples
# High ACK timeout rate
index=hl7 ack_status=timeout
| timechart span=5m count
| where count > threshold
# Failed mTLS by source IP
index=hl7 tls_handshake=failed
| stats count by src_ip, cert_subject
| sort -count
# Unusual message types
index=hl7
| stats count by message_type, sending_app
| where message_type NOT IN ("ADT", "ORM", "ORU")Jurisdictional Security Standards
Healthcare data security requirements vary by jurisdiction. Understanding regional compliance frameworks is essential for multi-national HL7 implementations.
Australian SMD/NASH PKI Case Study
Australia's Secure Messaging Domain (SMD) and National Authentication Service for Health (NASH) PKI infrastructure provides a model for nationwide healthcare security:
- NASH certificates provide mutual authentication for all healthcare communications.
- Healthcare Provider Identifiers (HPI-I, HPI-O, HPI-D) embedded in certificates.
- Mandatory for all My Health Record system communications.
- Certificate hierarchy: NASH CA → Organization CA → Individual certificates.
- HL7 v2.x messages must be transported over TLS with NASH certificate validation.
- Message-level digital signatures for audit non-repudiation.
Implementation Impact
Australian HL7 interfaces require NASH PKI integration for any My Health Record connectivity. Interface engines must validate NASH certificates and include HPI identifiers in MSH-4 (Sending Facility) and MSH-6 (Receiving Facility) fields.
Other Regional Equivalents
Regional healthcare security frameworks
| Region | Framework | HL7 Impact |
|---|---|---|
| United States | HIPAA + HITECH | TLS 1.2+ required, audit logging, BA agreements for vendors |
| European Union | GDPR + eIDAS | Patient consent tracking, data residency requirements, qualified certificates |
| United Kingdom | NHS DSP Toolkit + PDN | N3/HSCN network requirements, IG Toolkit compliance, Caldicott Guardian oversight |
| Canada | PIPEDA + Provincial Laws | PHIPA (Ontario), HIA (Alberta) - varying provincial requirements |
| Singapore | PDPA + MOH Guidelines | NEHR integration, IM8 healthcare IT standards |
Compliance Checklist
- Identify all jurisdictions where patient data originates or is processed.
- Map data flow to determine applicable regulatory frameworks.
- Implement jurisdiction-specific security controls (encryption, access, audit).
- Document compliance evidence for audits (policies, procedures, logs).
- Review and update annually or when regulations change.
- Engage legal/compliance teams for cross-border data transfers.
Additional Transport Methods
Alternative HL7 transport options
| Method | Typical use | Notes |
|---|---|---|
| File-based transport | Batch processing through drop folders | Common in legacy mainframes; naming and polling intervals affect latency. |
| HTTP/HTTPS POST | Web-based transport | Firewall-friendly and standard infrastructure; often uses content-type application/hl7-v2. |
| SOAP web services | Contract-driven enterprise integration | Supports WS-Security but has higher protocol overhead than MLLP. |
| SFTP file transfer | Secure batch interchange | Encrypted in transit; commonly used for lab result batch exchange. |
MLLP Deep Dive - Advanced Implementation Patterns
Production MLLP implementations require careful attention to connection lifecycle, buffer management, timeout handling, and failure recovery. This section covers advanced patterns for building resilient MLLP interfaces.
Connection Lifecycle Management
MLLP connection state transitions
| State | Transition Trigger | Action |
|---|---|---|
| IDLE | Message queued for send | Initiate TCP connection (SYN) |
| CONNECTING | TCP SYN-ACK received | Complete handshake, transition to CONNECTED |
| CONNECTED | Frame sent, ACK received | Keep connection open for next message (pooling) |
| CONNECTED | Timeout or error | Close connection, transition to IDLE or ERROR |
| ERROR | Circuit breaker open | Stop sending, alert operations, escalate |
Buffer Management Strategies
- Use circular buffers for streaming byte processing to avoid memory allocation overhead.
- Set maximum message size limits (typically 10MB) to prevent memory exhaustion attacks.
- Implement partial frame detection: if start block (0x0B) received but no end block (0x1C0D) within timeout, flag as incomplete.
- Pre-allocate buffer pools for high-throughput scenarios to reduce GC pressure.
Timeout and Keepalive Configuration
Recommended timeout values
| Timeout Type | Recommended Value | Purpose |
|---|---|---|
| Connection timeout | 5-10 seconds | Initial TCP handshake completion |
| ACK wait timeout | 10-30 seconds | Maximum wait for application ACK after send |
| TCP keepalive interval | 30-60 seconds | Detect dead connections without application traffic |
| Idle connection timeout | 5-15 minutes | Close unused pooled connections to free resources |
| Frame read timeout | 2-5 minutes | Maximum time to receive complete MLLP frame |
Half-Open Connection Risk
A half-open connection occurs when one endpoint closes (e.g., network failure, crash) but the other side remains unaware. Without TCP keepalive or application-level heartbeats, the sender may write to a closed socket, losing messages. Always configure keepalive and implement timeout detection.
Circuit Breaker Pattern
Circuit breakers prevent cascading failures by stopping sends to unhealthy receivers:
- CLOSED state: Normal operation, messages flow through.
- OPEN state: After N consecutive failures, stop sending immediately and route to DLQ.
- HALF-OPEN state: After recovery timeout, send one probe message. If successful, close circuit; if failed, reopen.
- Track failure rate over sliding window (e.g., 50% failures in last 10 messages triggers open).
AWS Whitepaper: MLLP Best Practices
AWS architectural guidance for MLLP implementations
AWS Healthcare InteroperabilityAWS Transfer Family for HL7 File-Based Transport
AWS Transfer Family provides fully managed SFTP, FTPS, and FTP servers for secure file-based HL7 batch transfers. This service is ideal for scenarios requiring batch processing, such as daily lab result summaries, billing transactions, or legacy system integrations.
Use Cases for File-Based HL7 Transport
When to use file-based vs. real-time MLLP
| Scenario | Recommended Transport | Rationale |
|---|---|---|
| Real-time ADT notifications | MLLP over TCP | Low latency required for patient workflow updates |
| Daily lab result batches | SFTP (Transfer Family) | High volume, latency-tolerant, easier audit trail |
| Legacy mainframe integration | SFTP/FTPS | Mainframes often support file drop patterns natively |
| Cross-organization data exchange | SFTP with PGP encryption | Firewall-friendly, supports large files, compliance-friendly |
AWS Transfer Family Architecture
HL7 file batch processing with AWS Transfer Family
Loading diagram...
- External partner uploads HL7 batch file (e.g., daily_results.hl7) via SFTP to AWS Transfer Family.
- Transfer Family automatically stores file in Amazon S3 bucket with server-side encryption (AES-256).
- S3 event notification triggers AWS Lambda function to process the batch file.
- Lambda parses HL7 messages, validates structure, and pushes individual messages to SQS for reliable processing.
- Downstream consumers process messages from SQS, transform to FHIR if needed, and route to destination systems.
- CloudTrail logs all SFTP operations for audit and compliance (HIPAA, SOC 2).
Security and Compliance Features
Transfer Family security controls
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for SFTP/FTPS connections |
| Encryption at rest | S3 SSE-S3, SSE-KMS, or SSE-C encryption |
| Authentication | IAM users, AWS Directory Service (AD), or custom Lambda identity provider |
| Access control | S3 bucket policies, IAM policies, Transfer Family access policies |
| Audit logging | AWS CloudTrail logs all SFTP commands (login, upload, download, delete) |
| Network isolation | VPC endpoints, security groups, AWS PrivateLink |
HIPAA Eligibility
AWS Transfer Family is HIPAA-eligible. When configured with encryption, access controls, and CloudTrail logging, it meets HIPAA Security Rule requirements for transmission security and audit controls. Ensure a Business Associate Agreement (BAA) is in place with AWS.
PGP Encryption for HL7 Batches
For additional security, HL7 batch files can be PGP-encrypted before SFTP upload:
- Sender encrypts HL7 batch file with recipient public PGP key.
- Encrypted file (.pgp) uploaded via SFTP to Transfer Family.
- AWS Lambda uses AWS Secrets Manager-stored private key to decrypt.
- Decrypted HL7 messages processed normally.
- Original encrypted file archived or deleted per retention policy.
AWS Transfer Family Documentation
Official AWS documentation for Transfer Family service
AWS Transfer Family DocsAWS Healthcare Interoperability Solutions
AWS whitepaper on building HL7 v2 messaging solutions
AWS HL7 v2 WhitepaperFurther Reading
HL7 MLLP Transport Specification
Official HL7 specification for MLLP transport protocol
HL7 MLLP Specification (PDF)Modernize Legacy HL7 Data with Amazon HealthLake
Specific AWS architecture guidance for moving legacy HL7 data into modern cloud-native healthcare platforms.
Read modernization guideKnowledge Check
Test your understanding with this quiz. You need to answer all questions correctly to mark this section as complete.