Is IBM Cloud HIPAA compliant? (2024 update)

IBM Cloud is a cloud computing platform that provides a wide range of services, including infrastructure, platform, and software solutions, to businesses and organizations of all sizes.

Is IBM Cloud HIPAA compliant? Yes, based on our research, IBM Cloud can be HIPAA compliant.

Will IBM Cloud sign a business associate agreement (BAA)?

Yes, IBM Cloud will sign a BAA. Upon reviewing IBM Cloud's Compliance Guide, they explicitly state their willingness to sign a BAA with healthcare entities. Specifically, IBM Cloud mentions: "IBM Cloud has policies and procedures to help IBM comply with its HIPAA obligations as a business associate, including cases where IBM stores and transmits PHI. IBM's responsibility to the covered entity client is specified in the applicable Business Associate Agreement (BAA)."

What does the IBM Cloud BAA cover?

The IBM Cloud BAA covers:

• Protection of PHI
• Security incident notifications
• Access by Health and Human Services (HHS) requests
• Individual right of access requests
• Return of PHI upon contract termination
• Auditing and reporting

What does the IBM Cloud BAA exclude?

IBM Cloud’s BAA focuses on secure cloud services and does not cover direct patient care or other services beyond cloud infrastructure and data management. The BAA may not cover using non-healthcare-specific applications within IBM Cloud services.

Conclusion

IBM Cloud is HIPAA compliant, as it signs a BAA and offers HIPAA-ready services designed to handle PHI securely. 

FAQs

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI). HIPAA is designed to ensure that healthcare providers and insurers can securely exchange electronic health information.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities, which are entities that perform certain functions or activities on behalf of the covered entity.