The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established requirements for the use, disclosure and safe storage of protected health information (PHI) and was updated in 2009 via the Health Information Technology for Economic and Clinical Health (HITECH) amendment.
Covered entities that are subject to HIPAA—including doctors, hospitals, and health insurance companies—and their affiliated business associates must implement and maintain a set of technical, administrative and physical controls designed to safeguard protected health information (PHI).
Reports and other documentation
Read the IBM Cloud HIPAA guide
Clients can build HIPAA-ready environments and applications using IBM Cloud®.
When client-covered entities choose to manage PHI while using IBM Cloud services, IBM is the business associate of that covered entity. IBM may also be the business associate of a third-party vendor that is the business associate of the covered entity. IBM Cloud has policies and procedures to demonstrate its compliance with HIPAA obligations as a business associate, including cases where PHI is in the IBM Cloud.
IBM clients who are subject to HIPAA and who wish to use IBM Cloud products for HIPAA regulated data must enter into a Business Associate Agreement (BAA) with IBM, which defines responsibilities held by the covered entity, by IBM and those that are shared. IBM Cloud Catalog clients can configure an IBM Cloud account to utilize HIPAA-ready services and during that process, a client must accept an IBM BAA. IBM BAAs may also be achieved by contacting an IBM Sales Representative. The IBM Cloud BAA can be located on the IBM SLA terms BAA page.
IBM Cloud also requires BAAs with its vendors who qualify as IBM business associates, requiring of them the same safeguards for HIPAA regulated data.
Once a client configures an IBM Cloud account to utilize HIPAA-ready services, those services are identified in the IBM Cloud Catalog to help clients know whether or not they have selected a HIPAA-ready offering.
IBM Service Descriptions (SDs) indicate if a given offering maintains HIPAA-ready status.
IBM Cloud services that are HIPAA-ready are listed below.
Services
- IBM Cloud Activity Tracker (via Mezmo)
- IBM Cloud App ID
- IBM Cloud Bare Metal
- IBM Cloud Block Storage
- IBM Cloud Block Storage for VPC
- IBM Cloud Databases for Datastax
- IBM Cloud Databases for Elasticsearch
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for etcd
- IBM Cloud Databases for MongoDB Enterprise
- IBM Cloud Databases for MongoDB Standard
- IBM Cloud Databases for MySQL
- IBM Cloud Databases for PostgreSQL
- IBM Cloud Databases for Redis
- IBM Cloud Data Engine
- IBM Cloud Direct Link
- IBM Cloud File Storage
- IBM Cloud for VMware Solutions (Dedicated)
- IBM Cloud Functions
- IBM Cloud Hardware Security Module
- IBM Cloud Hyper Protect Crypto Services
- IBM Cloud Hyper Protect Virtual Servers
- IBM Cloud Hyper Protect Virtual Server for Virtual Private Cloud
- IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
- IBM Cloud LinuxONE Virtual Server for Virtual Private Cloud
- IBM Cloud Messages for RabbitMQ
- IBM Cloud Object Storage
- IBM Cloud Object Storage (IaaS)
- IBM Cloud Secrets Manager
- IBM Cloud Virtual Private Cloud
- IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
- IBM Cloud Virtual Private Cloud - VPN for VPC: Site-to-Site Gateway
- IBM Cloud Virtual Server for VPC
- IBM Cloud Virtual Server for VPC - Auto Scale for VPC
- IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
- IBM Cloud Virtual Servers
- IBM Cloud Wazi as a Service
- IBM Cloudant® Dedicated Cluster
- IBM Cloudant for IBM Cloud
- IBM Event Streams for IBM Cloud (Enterprise)
- IBM Key Protect for IBM Cloud
- IBM Log Analysis (via Mezmo)
- IBM Power Virtual Server on IBM Cloud