Home
Cloud
Compliance
HIPAA
The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established requirements for the use, disclosure and safe storage of protected health information (PHI) and was updated in 2009 via the Health Information Technology for Economic and Clinical Health (HITECH) amendment.
Covered entities that are subject to HIPAA—including doctors, hospitals, and health insurance companies—and their affiliated business associates must implement and maintain a set of technical, administrative and physical controls designed to safeguard protected health information (PHI).
Reports and other documentation
Read the IBM Cloud HIPAA guide
Clients can build HIPAA-ready environments and applications using IBM Cloud®.
When client-covered entities choose to manage PHI while using IBM Cloud services, IBM is the business associate of that covered entity. IBM may also be the business associate of a third-party vendor that is the business associate of the covered entity. IBM Cloud has policies and procedures to demonstrate its compliance with HIPAA obligations as a business associate, including cases where PHI is in the IBM Cloud.
IBM clients who are subject to HIPAA and who wish to use IBM Cloud products for HIPAA regulated data must enter into a Business Associate Agreement (BAA) with IBM, which defines responsibilities held by the covered entity, by IBM and those that are shared. IBM Cloud Catalog clients can configure an IBM Cloud account to utilize HIPAA-ready services and during that process, a client must accept an IBM BAA. IBM BAAs may also be achieved by contacting an IBM Sales Representative. The IBM Cloud BAA can be located on the IBM SLA terms BAA page.
IBM Cloud also requires BAAs with its vendors who qualify as IBM business associates, requiring of them the same safeguards for HIPAA regulated data.
Once a client configures an IBM Cloud account to utilize HIPAA-ready services, those services are identified in the IBM Cloud Catalog to help clients know whether or not they have selected a HIPAA-ready offering.
IBM Service Descriptions (SDs) indicate if a given offering maintains HIPAA-ready status.
IBM Cloud services that are HIPAA-ready are listed below.
IBM Cloud Activity Tracker (via Mezmo)
IBM Cloud Activity Tracker Event Routing
IBM Cloud App ID
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for VPC
IBM Cloud Databases for Datastax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB Enterprise
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for MySQL
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud Hardware Security Module
IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect Virtual Servers
IBM Cloud Hyper Protect Virtual Server for Virtual Private Cloud
IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
IBM Cloud Logs
IBM Cloud LinuxONE Virtual Server for Virtual Private Cloud
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Secrets Manager
IBM Cloud Platform - Core Services: IBM Cloud Logs Routing
IBM Cloud Platform - Core Services: IBM Cloud Metrics Routing
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
IBM Cloud Virtual Private Cloud - VPN for VPC: Site-to-Site Gateway
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Server for VPC - Auto Scale for VPC
IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
IBM Cloud Virtual Servers
IBM Cloudant® Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud (Enterprise)
IBM Key Protect for IBM Cloud
IBM Log Analysis (via Mezmo)
IBM Power Virtual Server on IBM Cloud
IBM Wazi as a Service