Is IBM Cloud HIPAA Compliant?

IBM Cloud is a service offered by IBM allowing organizations to do certain functions such as building native cloud apps, developing mobile and web services, hosting infrastructure and other cloud-based services that share, process and analyze data.  Many healthcare organizations and health plans have already used IBM Cloud to provide patients easier access to their health data. However, is IBM Cloud compliant with HIPAA rules? Can healthcare organizations in the United States use it to host infrastructure, store files and develop health apps?

IBM’s cloud platform is very secure. Its software and services have built-in security that guarantees sensitive data are kept confidential and accessed only by authorized persons. It comes with audit and security reports giving clients the ability to analyze and manage risks.

Aside from providing a secure cloud platform, IBM has been entering into business associate agreements since 2014 for its social, meeting, mobile and mail cloud offerings. With IBM Cloud in particular, the BAA details the responsibilities for securing the technical and physical control of the data centers, the permitted uses and disclosures of PHI, the reporting requirement when a security breach occurs and the use of subcontractors.

Before any healthcare organization can use IBM Cloud services in conjunction with PHI, it is important to make sure that there is a signed BAA from IBM. IBM also extends help to HIPAA covered entities and business associates in correctly configuring cloud applications and create privacy and security settings.

So, is IBM Cloud compliant with HIPAA rules? The answer is YES. IBM makes sure that its cloud platform specifications satisfy all the requirements of the HIPAA Security Rule. It is willing to enter into a business associate agreement with HIPAA covered entities and agree to follow the HIPAA Privacy Rule and Breach Notification Rule.

Nevertheless, covered entities also have to do its part to make sure that no HIPAA rules are violated. They need to double check all cloud-based infrastructure and applications ensuring their correct configuration. All stored PHI must be secured and monitored regularly as well.