HIPAA at DO

Enabling healthcare innovation on the most approachable and simple cloud platform

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that mandated the creation of national standards to protect sensitive Protected Health Information (PHI) and electronic Protected Health Information (ePHI). In response, the U.S. Department of Health and Human Services (HHS) issued four implementing regulations to operationalize the requirements of HIPAA: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. Collectively, these regulations outline the standards Covered Entities and Business Associates subject to HIPAA must adhere to.

What you need to know about hosting ePHI HIPAA workloads on DigitalOcean Covered Products?

Understanding how important it is to our customers to be able to host HIPAA workloads on select DigitalOcean services, DigitalOcean conducted a rigorous review of our systems and services in accordance with the requirements of HIPAA to allow customers to host electronic Protected Health Information (ePHI) on select DigitalOcean Covered Products.

Customers who wish to process HIPAA workloads on DigitalOcean Covered Products must also execute DigitalOcean’s Business Associate Agreement (BAA) and sign up for either Standard or Premium Support. Existing customers can request a BAA through their Customer Success representative while new customers can request a BAA by contacting Sales.

Frequently Asked Questions

What is a Business Associate Agreement (BAA)?

Under the HIPAA regulations, cloud service providers (CSPs) such as DigitalOcean are considered business associates. The Business Associate Agreement (BAA) is a contract that is required under HIPAA that outlines the obligations the Business Associate and Covered Entity assume to safeguard protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by DigitalOcean, based on the relationship between DigitalOcean and our customers, and the activities or services being performed by DigitalOcean.

Will DigitalOcean sign a BAA as described in the HIPAA rules and regulations?

Yes. DigitalOcean has a standard Business Associate Agreement (BAA) we present to customers. The document takes into account DigitalOcean’s covered services and is in alignment with DigitalOcean’s Shared Responsibility Model.

Can my organization request to modify the BAA?

The Business Associate Agreement is generally non-negotiable.

Is DigitalOcean HIPAA certified?

There is no such thing as a HIPAA certification for CSPs like DigitalOcean. Select DigitalOcean Covered Products have been built with HIPAA in mind.

What services can I use for HIPAA workloads if I have a BAA with DO?

You should only process, store, and transmit ePHI on the DigitalOcean Covered Products. For the latest list of Covered Products, please visit our HIPAA Information Site.

Does processing HIPAA workloads on select DigitalOcean Covered Products change my relationship with DigitalOcean relative to the Shared Responsibility Model?

Under the Shared Responsibility Model, DigitalOcean remains responsible for the Security OF the Cloud. Our customers, including those processing HIPAA workloads on DigitalOcean Covered Products, remain responsible for the privacy and security of their workloads and data IN their Cloud instance.

Why do I need to purchase Standard or Premium Support?

DigitalOcean remains committed to providing the fast response times to all customers, particularly those running the most sensitive workloads. With Standard or Premium Support, technical staff with the appropriate experience are able to provide quick, consistent troubleshooting assistance to customers hosting HIPAA workloads on Covered Products.

Is a BAA required if I am an international customer and am processing ePHI?

Customers are encouraged to consult with legal counsel to determine if a BAA is appropriate for their individual circumstances and processing needs.