Health Insurance Portability and Accountability Act (HIPAA)

September 2021

NetApp offers a number of solutions in on-premises, hybrid, and public cloud services that are capable of meeting the privacy and security requirements of HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law that established principles for safeguarding sensitive patient information against disclosure without a patient’s consent. The regulations issued under HIPAA set national standards for the use, disclosure, and protection of sensitive personal health information, which HIPAA defines as protected health information (PHI). PHI includes personally identifiable information about a patient such as health records, lab test results, and medical bills.

Two rules implement HIPAA requirements:

• The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of individuals’ medical records. It also gives patients rights over their health information, including the right to examine it, receive a copy of it, and request corrections. The Privacy Rule balances the use of personal health information to deliver high-quality healthcare while protecting patient privacy.
• The HIPAA Security Rule protects patients’ health information that is in electronic form. It specifies administrative, physical, and technological safeguards, such as encryption, to ensure the confidentiality, integrity, and security of electronic PHI.

When a covered entity enlists the services of a cloud service provider (CSP), such as NetApp, to create, receive, maintain, or transmit PHI on its behalf, the CSP is considered to be a business associate under HIPAA. HIPAA regulations also apply to these business associates of covered entities that perform functions involving the use or disclosure of PHI.

The relationship between the CSP and the covered entity is governed by a HIPAA-compliant Business Associate Agreement (BAA), a contract that specifies each party’s responsibilities for PHI. The CSP is both contractually liable for meeting the terms of the BAA and directly liable for protecting compliance with applicable HIPAA requirements.

NetApp cloud services host and manage data on behalf of customers. Because NetApp does not restrict the type of data that our services can manage, it’s possible for a customer to use a NetApp cloud service to store or process PHI. In this context, NetApp would be characterized as a business associate. To support the HIPAA compliance of customers, NetApp would enter into a Business Associate Agreement for every NetApp service that has received Service Organization Controls (SOC) 2 Type 2 certification.

To support the compliance of NetApp services with HIPAA, Net App relies on our SOC 2 Type 2 certifications by an independent third party. A SOC 2 report reflects a service auditor's attestation regarding a service organization’s description of its system and the suitability of the design of its controls with respect to Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports offer assurance to customers that NetApp controls reasonably protect the confidentiality and privacy of user information processed by the system.

Get a complete list of NetApp in-scope services with SOC 2 Type 2 certifications.

The U.S. Department of Health and Human Services has not currently approved a certification standard to demonstrate a business associate’s compliance with HIPAA.

NetApp offers a BAA for any NetApp cloud service that has obtained a SOC 2 Type 2 certification.

No. A BAA with NetApp can help support your organization’s HIPAA compliance, but using NetApp’s services doesn’t achieve HIPAA compliance on its own. Your organization is responsible to make sure that you have implemented an adequate compliance program and supportive internal processes, and that your specific use of NetApp services accommodates your HIPAA obligations.

We cannot use a customer's BAA. NetApp’s services are standardized for all our customers, so our operations must be consistent for everyone. The NetApp HIPAA BAA closely reflects how we operate and is consistent with industry operations for the protection of PHI in cloud services.