IBM Cloud® compliance: HIPAA

Clients can build HIPAA-ready environments and applications using IBM Cloud®.

When client-covered entities choose to manage PHI while using IBM Cloud services, IBM is the business associate of that covered entity. IBM may also be the business associate of a third-party vendor that is the business associate of the covered entity. IBM Cloud has policies and procedures to demonstrate its compliance with HIPAA obligations as a business associate, including cases where PHI is in the IBM Cloud.

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products for HIPAA regulated data must enter into a Business Associate Agreement (BAA) with IBM, which defines responsibilities held by the covered entity, by IBM and those that are shared. IBM Cloud Catalog clients can configure an IBM Cloud account to utilize HIPAA-ready services and during that process, a client must accept an IBM BAA. IBM BAAs may also be achieved by contacting an IBM Sales Representative. The IBM Cloud BAA can be located on the IBM SLA terms BAA page.

IBM Cloud also requires BAAs with its vendors who qualify as IBM business associates, requiring of them the same safeguards for HIPAA regulated data.

Once a client configures an IBM Cloud account to utilize HIPAA-ready services, those services are identified in the IBM Cloud Catalog to help clients know whether or not they have selected a HIPAA-ready offering.

IBM Service Descriptions (SDs) indicate if a given offering maintains HIPAA-ready status.

IBM Cloud services that are HIPAA-ready are listed below.