Enabling healthcare innovation on the most approachable and simple cloud platform
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that mandated the creation of national standards to protect sensitive Protected Health Information (PHI) and electronic Protected Health Information (ePHI). In response, the U.S. Department of Health and Human Services (HHS) issued four implementing regulations to operationalize the requirements of HIPAA: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. Collectively, these regulations outline the standards Covered Entities and Business Associates subject to HIPAA must adhere to.
Understanding how important it is to our customers to be able to host HIPAA workloads on select DigitalOcean services, DigitalOcean conducted a rigorous review of our systems and services in accordance with the requirements of HIPAA to allow customers to host electronic Protected Health Information (ePHI) on select DigitalOcean Covered Products.
Customers who wish to process HIPAA workloads on DigitalOcean Covered Products must also execute DigitalOcean’s Business Associate Agreement (BAA) and sign up for either Standard or Premium Support. Existing customers can request a BAA through their Customer Success representative while new customers can request a BAA by contacting Sales.
Under the HIPAA regulations, cloud service providers (CSPs) such as DigitalOcean are considered business associates. The Business Associate Agreement (BAA) is a contract that is required under HIPAA that outlines the obligations the Business Associate and Covered Entity assume to safeguard protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by DigitalOcean, based on the relationship between DigitalOcean and our customers, and the activities or services being performed by DigitalOcean.
Yes. DigitalOcean has a standard Business Associate Agreement (BAA) we present to customers. The document takes into account DigitalOcean’s covered services and is in alignment with [DigitalOcean’s Shared Responsibility Model](https://www.digitalocean.com/security/shared-responsibility-model).
The Business Associate Agreement is generally non-negotiable.
There is no such thing as a HIPAA certification for CSPs like DigitalOcean. Select DigitalOcean Covered Products have been built with HIPAA in mind.
You should only process, store, and transmit ePHI on the DigitalOcean Covered Products. For the latest list of Covered Products, please visit our [HIPAA Information Site](https://www.digitalocean.com/trust/hipaa-at-do).
Under the [Shared Responsibility Model](https://www.digitalocean.com/security/shared-responsibility-model), DigitalOcean remains responsible for the Security OF the Cloud. Our customers, including those processing HIPAA workloads on DigitalOcean Covered Products, remain responsible for the privacy and security of their workloads and data IN their Cloud instance.
DigitalOcean remains committed to providing the fast response times to all customers, particularly those running the most sensitive workloads. With Standard or Premium Support, technical staff with the appropriate experience are able to provide quick, consistent troubleshooting assistance to customers hosting HIPAA workloads on Covered Products.
Customers are encouraged to consult with legal counsel to determine if a BAA is appropriate for their individual circumstances and processing needs.