Learn how to enable HIPAA support for your account to protect health data.
With the rapidly expanding volume of personal information in the cloud, including Protected Health Information (PHI), it is critical to describe how the cloud is secured via critical services such as authentication, authorization, auditing, and end-client access.
The US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act define standards for handling electronic healthcare transactions and information. If you or your company is a covered entity as defined by HIPAA, you must enable the HIPAA Supported setting if you run sensitive workloads that are regulated under HIPAA and the HITECH Act. Learn more about IBM Cloud compliance at Compliance on the IBM Cloud.
A quick intro to IBM Cloud
IBM’s public cloud is a suite of cloud computing services that offers an extensive array of IaaS and PaaS capabilities to help enhance the security, accessibility and usability of clients’ business-critical needs. IBM Cloud leverages strategic services from third-party IBM Business Partners.
With IBM Cloud Infrastructure as a Service (IaaS), organizations can deploy and access virtualized IT resources — such as compute, storage and networking resources — remotely using the internet. For compute, organizations can choose bare metal or virtual server instances.
With IBM Cloud Platform as a Service (PaaS), developers can use IBM services to create, deploy, run and manage various types of applications, including those used for HIPAA-compliant workloads. Developers can leverage various programming languages supported by IBM Cloud, including Java, Node.js, PHP, GO and Python.
HIPAA-ready vs HIPAA-neutral services
HIPAA-ready, as used in this post, simply means the offering is ready to accept HIPAA data. HIPAA compliance, as distinguished from HIPAA-ready, involves actually meeting the HIPAA requirements on an ongoing basis. The client is responsible for its own compliance to the extent it has control over elements of compliance, and it is the client’s responsibility to understand, assess and comply with its applicable requirements.
A list of HIPAA-ready IBM Cloud services can be found at the IBM Cloud Compliance site. Other IBM Cloud services not listed may also be HIPAA-ready, have readiness in-progress or have been deemed HIPAA-neutral. HIPAA-neutral means a capability which operates without implicating HIPAA. For instance, IBM Cloud has several PaaS services that are HIPAA-ready or may be HIPAA-neutral based on the inherent nature of the service.
Some of the HIPAA-ready announcements:
- IBM Cloud VPC Available for HIPAA-Ready Workloads
- IBM Cloud Hyper Protect Services are now HIPAA ready
Enable HIPAA support for your account
Accounts that enable the HIPAA Supported setting still have access to the full catalog of services. IBM Cloud services typically offer multiple plans. The HIPAA Enabled label on a service can apply to all available plans or be limited to specific plans or configurations. You, as the client, are solely responsible for limiting PHI to HIPAA Enabled product plans and architecting in accordance with HIPAA and HITECH.
- Navigate to https://cloud.ibm.com and log into your account.
- Go to Manage > Account, and select Account settings in the console.
- For the HIPAA Supported option, click On.
- Read the information about enabling this setting.
- Select Accept, and click Submit. Remember, you can't disable the setting after you enable it.
Enabling this setting has the following effects:
- Enables you to filter on HIPAA Enabled services in the catalog.
- Indicates to IBM that your account stores protected health information (PHI).
- Digitally accepts the IBM Business Associate Addendum (BAA) for covered entities.
After you enable the HIPAA Supported setting, you can use the HIPAA Enabled filter to find products that are HIPAA enabled. In the IBM Cloud catalog, expand the Compliance section and select HIPAA Enabled.
Governing resource configuration for platform services
If you are a security or compliance focal, you can use the IBM Security and Compliance Center to define configuration rules for the platform services that you're working with in IBM Cloud. With IBM Cloud Security and Compliance Center, you can embed security checks into your every day workflows to help monitor for security and compliance.
Config rules are used to enforce the configuration standards that you want to implement across your accounts. A configuration rule is a JSON document that defines the configuration of resources. With the IBM Cloud Security and Compliance Center, you can create rules for specific IBM Cloud resource types to govern the way that resources in your account can be provisioned or configured. Refer security and compliance config rule to understand what makes up a rule, the services to which the rule be applied and answers to other questions.
- Read the IBM Cloud HIPAA guide
- Latest HIPAA news and standard information
- Learn more about IBM Cloud compliance offerings by visiting the IBM Cloud compliance page