HIPAA at DO

Learn how we protect health information and support your organization's privacy goals.

Overview

The United States' Health Insurance Portability and Accountability Act (“HIPAA”) is a federal law that established national standards to protect a patient's protected health information (“PHI”) or electronic protected health information (“ePHI”) from being disclosed without the patients' consent or knowledge. HIPAA applies to both “Covered Entities,” (e.g., healthcare providers, health plans, and healthcare clearinghouses) and “Business Associates,” who complete activities, at the Covered Entity's request, that involve the use or disclosure of PHI and/or ePHI. In the context of a cloud service provider, HIPAA enforces the HIPAA Security Rule, which aims to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) while allowing Covered Entities and Business Associates to adopt new technologies to improve the quality and efficiency of patient care.

DigitalOcean's Support of HIPAA and Healthcare Privacy

The Company provides security, privacy, and risk management features intended to support customers with their internal HIPAA adherence and assessment efforts. The information in this section describes certain capabilities, tools, and transparency resources available through the Company’s services and is provided for informational purposes only. These features do not constitute a representation or guarantee of HIPAA adherence.

Privacy Management

  • The Company undergoes an annual risk assessment, performed by our external auditors, to attest to our adherence to HIPAA, the HIPAA Security Rule, and the HITECH Breach Notification Requirements. A copy of this assessment can be found within our Trust Center.
  • We hold a Global PRP certification to evidence the strength of the technical safeguards we have in place to maintain our HIPAA posture.
  • We offer a Business Associate Agreement (“BAA”), which outlines both DigitalOcean's and DigitalOcean's customers' obligations. Please contact your DigitalOcean sales representative to execute a BAA.

Security Controls

  • We require employees and contractors who may interact with ePHI to complete HIPAA-specific training to familiarize themselves with acceptable use protocols associated with ePHI.
  • We maintain logical access policies and procedures, utilizing mechanisms such as multi-factor authentication (MFA), single sign-on (SSO), and secure shell protocol (SSH).
  • We configure logging and monitoring systems to collect data from production hosts, analyze potential security vulnerabilities, and alert the security team when predefined thresholds are met.
  • We maintain incident response policies, procedures, and playbooks to help contain, mitigate, and eradicate threats during a security incident.
  • We perform vulnerability scans and annual third-party penetration tests to identify and remediate potential threats.
  • We deploy various encryption methodologies across our systems.

Operational Resilience

  • We provide real-time updates to our service infrastructure on the DigitalOcean Status Page.
  • We provide Service-Level Agreements for applicable services.
  • We maintain logging and monitoring systems to analyze resource utilization and performance, ensuring our teams are alerted to any issues requiring attention.
  • We have dedicated resources for managing platform availability and resiliency incidents. These resources review incident trends, conduct post-incident reviews, and manage post-incident mitigation activities.
  • We review business continuity and disaster recovery plans on an annual basis.

Third-Party Risk Management

  • We perform due diligence and security reviews on vendors that store or access customer data as a component of the onboarding process.
  • We require business associates and subcontractors to enter into written agreements for the protection and safety of ePHI they may process for the Service.

DigitalOcean Service Customer Controls and HIPAA Compliance Considerations

Customers are responsible for evaluating whether the services they deploy are configured, monitored, and governed in a manner appropriate for their compliance obligations. Customers may access additional information and supporting documentation to assist in their further evaluation of the following areas:

Business Associate Agreements

DigitalOcean's Product Scope

Customers are responsible for uploading ePHI exclusively to DigitalOcean's HIPAA Eligible products.

Data Encryption

While DigitalOcean provides TLS for web communications and full disk encryption for workstations, customers are responsible for ensuring that ePHI is appropriately encrypted at rest and in transit within their specific applications.

Backup and Recovery

DigitalOcean provides infrastructure in multiple regions; however, customers are responsible for implementing their own backup strategies to ensure the availability of copies of ePHI as the customer may require.

Access Management

Customers are responsible for managing their own user accounts, permissions, and authentication settings for the applications they build on DigitalOcean.

Compliance Reports

DigitalOcean's independent HIPAA attestation report, which evaluates our information security program against HIPAA Security Rule and HITECH Breach Notification criteria, is available on our Security Reports & Certifications Center.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.