NetApp offers a number of solutions in on-premises, hybrid, and public cloud services that are capable of meeting the privacy and security requirements of HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law that established principles for safeguarding sensitive patient information against disclosure without a patient’s consent. The regulations issued under HIPAA set national standards for the use, disclosure, and protection of sensitive personal health information, which HIPAA defines as protected health information (PHI). PHI includes personally identifiable information about a patient such as health records, lab test results, and medical bills.
Two rules implement HIPAA requirements:
When a covered entity enlists the services of a cloud service provider (CSP), such as NetApp, to create, receive, maintain, or transmit PHI on its behalf, the CSP is considered to be a business associate under HIPAA. HIPAA regulations also apply to these business associates of covered entities that perform functions involving the use or disclosure of PHI.
The relationship between the CSP and the covered entity is governed by a HIPAA-compliant Business Associate Agreement (BAA), a contract that specifies each party’s responsibilities for PHI. The CSP is both contractually liable for meeting the terms of the BAA and directly liable for protecting compliance with applicable HIPAA requirements.
NetApp cloud services host and manage data on behalf of customers. Because NetApp does not restrict the type of data that our services can manage, it’s possible for a customer to use a NetApp cloud service to store or process PHI. In this context, NetApp would be characterized as a business associate. To support the HIPAA compliance of customers, NetApp would enter into a Business Associate Agreement for every NetApp service that has received Service Organization Controls (SOC) 2 Type 2 certification.
To support the compliance of NetApp services with HIPAA, Net App relies on our SOC 2 Type 2 certifications by an independent third party. A SOC 2 report reflects a service auditor's attestation regarding a service organization’s description of its system and the suitability of the design of its controls with respect to Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports offer assurance to customers that NetApp controls reasonably protect the confidentiality and privacy of user information processed by the system.
Get a complete list of NetApp in-scope services with SOC 2 Type 2 certifications.
The U.S. Department of Health and Human Services has not currently approved a certification standard to demonstrate a business associate’s compliance with HIPAA.
NetApp offers a BAA for any NetApp cloud service that has obtained a SOC 2 Type 2 certification.
No. A BAA with NetApp can help support your organization’s HIPAA compliance, but using NetApp’s services doesn’t achieve HIPAA compliance on its own. Your organization is responsible to make sure that you have implemented an adequate compliance program and supportive internal processes, and that your specific use of NetApp services accommodates your HIPAA obligations.
We cannot use a customer's BAA. NetApp’s services are standardized for all our customers, so our operations must be consistent for everyone. The NetApp HIPAA BAA closely reflects how we operate and is consistent with industry operations for the protection of PHI in cloud services.
An independent third-party auditor has affirmed that NetApp in-scope cloud and managed services have achieved SOC 2 Type 1 and Type 2 reports based on applicable Trust Services criteria.