Home cloud Compliance IBM Cloud HIPAA Compliance IBM Cloud® compliance: HIPAA
Illustration showing a person interacting with a computer interface, behind which are various documents and a miniature skyscraper
What is HIPAA?

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established requirements for the use, disclosure and safe storage of protected health information (PHI) and was updated in 2009 via the Health Information Technology for Economic and Clinical Health (HITECH) amendment.

Covered entities that are subject to HIPAA—including doctors, hospitals, and health insurance companies—and their affiliated business associates must implement and maintain a set of technical, administrative and physical controls designed to safeguard protected health information (PHI).

Reports and other documentation

Read the IBM Cloud HIPAA guide


IBM position

Clients can build HIPAA-ready environments and applications using IBM Cloud®.

When client-covered entities choose to manage PHI while using IBM Cloud services, IBM is the business associate of that covered entity. IBM may also be the business associate of a third-party vendor that is the business associate of the covered entity. IBM Cloud has policies and procedures to demonstrate its compliance with HIPAA obligations as a business associate, including cases where PHI is in the IBM Cloud.

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products for HIPAA regulated data must enter into a Business Associate Agreement (BAA) with IBM, which defines responsibilities held by the covered entity, by IBM and those that are shared. IBM Cloud Catalog clients can configure an IBM Cloud account to utilize HIPAA-ready services and during that process, a client must accept an IBM BAA. IBM BAAs may also be achieved by contacting an IBM Sales Representative. The IBM Cloud BAA can be located on the IBM SLA terms BAA page.

IBM Cloud also requires BAAs with its vendors who qualify as IBM business associates, requiring of them the same safeguards for HIPAA regulated data.

Once a client configures an IBM Cloud account to utilize HIPAA-ready services, those services are identified in the IBM Cloud Catalog to help clients know whether or not they have selected a HIPAA-ready offering.

IBM Service Descriptions (SDs) indicate if a given offering maintains HIPAA-ready status.

IBM Cloud services that are HIPAA-ready are listed below.



  1. IBM Cloud Activity Tracker (via Mezmo)
  2. IBM Cloud App ID
  3. IBM Cloud Bare Metal
  4. IBM Cloud Block Storage
  5. IBM Cloud Block Storage for VPC
  6. IBM Cloud Databases for Datastax
  7. IBM Cloud Databases for Elasticsearch
  8. IBM Cloud Databases for EnterpriseDB
  9. IBM Cloud Databases for etcd
  10. IBM Cloud Databases for MongoDB Enterprise
  11. IBM Cloud Databases for MongoDB Standard
  12. IBM Cloud Databases for MySQL
  13. IBM Cloud Databases for PostgreSQL
  14. IBM Cloud Databases for Redis
  15. IBM Cloud Data Engine
  16. IBM Cloud Direct Link
  17. IBM Cloud File Storage
  18. IBM Cloud for VMware Solutions (Dedicated)
  19. IBM Cloud Functions
  20. IBM Cloud Hardware Security Module
  21. IBM Cloud Hyper Protect Crypto Services
  22. IBM Cloud Hyper Protect Virtual Servers
  23. IBM Cloud Hyper Protect Virtual Server for Virtual Private Cloud
  24. IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
  25. IBM Cloud LinuxONE Virtual Server for Virtual Private Cloud
  26. IBM Cloud Messages for RabbitMQ
  27. IBM Cloud Object Storage
  28. IBM Cloud Object Storage (IaaS)
  29. IBM Cloud Secrets Manager
  30. IBM Cloud Virtual Private Cloud
  31. IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
  32. IBM Cloud Virtual Private Cloud - VPN for VPC: Site-to-Site Gateway
  33. IBM Cloud Virtual Server for VPC
  34. IBM Cloud Virtual Server for VPC - Auto Scale for VPC
  35. IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
  36. IBM Cloud Virtual Servers
  37. IBM Cloud Wazi as a Service
  38. IBM Cloudant® Dedicated Cluster
  39. IBM Cloudant for IBM Cloud
  40. IBM Event Streams for IBM Cloud (Enterprise)
  41. IBM Key Protect for IBM Cloud
  42. IBM Log Analysis (via Mezmo)
  43. IBM Power Virtual Server on IBM Cloud
Resources IBM Cloud HIPAA guidance

Read the guide.

Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs