IBM Cloud® compliance: HIPAA
Illustration showing a person interacting with a computer interface, behind which are various documents and a miniature skyscraper
What is HIPAA?

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established requirements for the use, disclosure and safe storage of protected health information (PHI) and was updated in 2009 via the Health Information Technology for Economic and Clinical Health (HITECH) amendment.

Covered entities that are subject to HIPAA—including doctors, hospitals, and health insurance companies—and their affiliated business associates must implement and maintain a set of technical, administrative and physical controls designed to safeguard protected health information (PHI).

Reports and other documentation

Read the IBM Cloud HIPAA guide


IBM position

Clients can build HIPAA-ready environments and applications using IBM Cloud®.

When client-covered entities choose to manage PHI while using IBM Cloud services, IBM is the business associate of that covered entity. IBM may also be the business associate of a third-party vendor that is the business associate of the covered entity. IBM Cloud has policies and procedures to demonstrate its compliance with HIPAA obligations as a business associate, including cases where PHI is in the IBM Cloud.

IBM clients who are subject to HIPAA and who wish to use IBM Cloud products for HIPAA regulated data must enter into a Business Associate Agreement (BAA) with IBM, which defines responsibilities held by the covered entity, by IBM and those that are shared. IBM Cloud Catalog clients can configure an IBM Cloud account to utilize HIPAA-ready services and during that process, a client must accept an IBM BAA. IBM BAAs may also be achieved by contacting an IBM Sales Representative. The IBM Cloud BAA can be located on the IBM SLA terms BAA page.

IBM Cloud also requires BAAs with its vendors who qualify as IBM business associates, requiring of them the same safeguards for HIPAA regulated data.

Once a client configures an IBM Cloud account to utilize HIPAA-ready services, those services are identified in the IBM Cloud Catalog to help clients know whether or not they have selected a HIPAA-ready offering.

IBM Service Descriptions (SDs) indicate if a given offering maintains HIPAA-ready status.

IBM Cloud services that are HIPAA-ready are listed below.



Resources IBM Cloud HIPAA guidance

Read the guide.

Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs