August 13, 2021 By Vidyasagar Machupalli 3 min read

Learn how to enable HIPAA support for your account to protect health data.

With the rapidly expanding volume of personal information in the cloud, including Protected Health Information (PHI), it is critical to describe how the cloud is secured via critical services such as authentication, authorization, auditing, and end-client access.


The US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act define standards for handling electronic healthcare transactions and information. If you or your company is a covered entity as defined by HIPAA, you must enable the HIPAA Supported setting if you run sensitive workloads that are regulated under HIPAA and the HITECH Act. Learn more about IBM Cloud compliance at Compliance on the IBM Cloud.

A quick intro to IBM Cloud 

IBM’s public cloud is a suite of cloud computing services that offers an extensive array of IaaS and PaaS capabilities to help enhance the security, accessibility and usability of clients’ business-critical needs. IBM Cloud leverages strategic services from third-party IBM Business Partners.

With IBM Cloud Infrastructure as a Service (IaaS), organizations can deploy and access virtualized IT resources — such as compute, storage and networking resources — remotely using the internet. For compute, organizations can choose bare metal or virtual server instances. 

With IBM Cloud Platform as a Service (PaaS), developers can use IBM services to create, deploy, run and manage various types of applications, including those used for HIPAA-compliant workloads. Developers can leverage various programming languages supported by IBM Cloud, including Java, Node.js, PHP, GO and Python.

HIPAA-ready vs HIPAA-neutral services 

HIPAA-ready, as used in this post, simply means the offering is ready to accept HIPAA data. HIPAA compliance, as distinguished from HIPAA-ready, involves actually meeting the HIPAA requirements on an ongoing basis. The client is responsible for its own compliance to the extent it has control over elements of compliance, and it is the client’s responsibility to understand, assess and comply with its applicable requirements.

A list of HIPAA-ready IBM Cloud services can be found at the IBM Cloud Compliance site. Other IBM Cloud services not listed may also be HIPAA-ready, have readiness in-progress or have been deemed HIPAA-neutral. HIPAA-neutral means a capability which operates without implicating HIPAA. For instance, IBM Cloud has several PaaS services that are HIPAA-ready or may be HIPAA-neutral based on the inherent nature of the service.

Some of the HIPAA-ready announcements:

Enable HIPAA support for your account

Accounts that enable the HIPAA Supported setting still have access to the full catalog of services. IBM Cloud services typically offer multiple plans. The HIPAA Enabled label on a service can apply to all available plans or be limited to specific plans or configurations. You, as the client, are solely responsible for limiting PHI to HIPAA Enabled product plans and architecting in accordance with HIPAA and HITECH.

  1. Navigate to and log into your account.
  2. Go to Manage > Account, and select Account settings in the console.
  3. For the HIPAA Supported option, click On.
  4. Read the information about enabling this setting.
  5. Select Accept, and click Submit. Remember, you can’t disable the setting after you enable it.

Enabling this setting has the following effects:

  • Enables you to filter on HIPAA Enabled services in the catalog.
  • Indicates to IBM that your account stores protected health information (PHI).
  • Digitally accepts the IBM Business Associate Addendum (BAA) for covered entities.

After you enable the HIPAA Supported setting, you can use the HIPAA Enabled filter to find products that are HIPAA enabled. In the IBM Cloud catalog, expand the Compliance section and select HIPAA Enabled.

Governing resource configuration for platform services

If you are a security or compliance focal, you can use the IBM Security and Compliance Center to define configuration rules for the platform services that you’re working with in IBM Cloud. With IBM Cloud Security and Compliance Center, you can embed security checks into your every day workflows to help monitor for security and compliance.

Config rules are used to enforce the configuration standards that you want to implement across your accounts. A configuration rule is a JSON document that defines the configuration of resources. With the IBM Cloud Security and Compliance Center, you can create rules for specific IBM Cloud resource types to govern the way that resources in your account can be provisioned or configured. Refer security and compliance config rule to understand what makes up a rule, the services to which the rule be applied and answers to other questions.

What’s next?

If you have any queries, feel free to reach out to me on Twitter or on LinkedIn

Was this article helpful?

More from Cloud

IBM Cloud Virtual Servers and Intel launch new custom cloud sandbox

4 min read - A new sandbox that use IBM Cloud Virtual Servers for VPC invites customers into a nonproduction environment to test the performance of 2nd Gen and 4th Gen Intel® Xeon® processors across various applications. Addressing performance concerns in a test environment Performance testing is crucial to understanding the efficiency of complex applications inside your cloud hosting environment. Yes, even in managed enterprise environments like IBM Cloud®. Although we can deliver the latest hardware and software across global data centers designed for…

10 industries that use distributed computing

6 min read - Distributed computing is a process that uses numerous computing resources in different operating locations to mimic the processes of a single computer. Distributed computing assembles different computers, servers and computer networks to accomplish computing tasks of widely varying sizes and purposes. Distributed computing even works in the cloud. And while it’s true that distributed cloud computing and cloud computing are essentially the same in theory, in practice, they differ in their global reach, with distributed cloud computing able to extend…

How a US bank modernized its mainframe applications with IBM Consulting and Microsoft Azure

9 min read - As organizations strive to stay ahead of the curve in today's fast-paced digital landscape, mainframe application modernization has emerged as a critical component of any digital transformation strategy. In this blog, we'll discuss the example of a US bank which embarked on a journey to modernize its mainframe applications. This strategic project has helped it to transform into a more modern, flexible and agile business. In looking at the ways in which it approached the problem, you’ll gain insights into…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters