For organizations in healthcare and related fields subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), MongoDB Atlas is HIPAA-ready and enables covered entities and their business associates to use a secure cloud database environment to process, maintain, and store protected health information (PHI).
What is HIPAA?
HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information. Specifically, HIPAA requires compliance with the following:
Privacy Rule: National standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
Security Rule: National standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
Breach Notification Rule: Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Who does HIPAA apply to?
HIPAA applies to organizations that are considered HIPAA-covered entities, including healthcare providers, health plans, and healthcare clearinghouses. However, most health care providers and health plans do not work in isolation and often use the services of a variety of other persons or businesses. HIPAA also requires covered entities that work with these HIPAA “business associates” to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.
What is a Business Associate Addendum (BAA)?
Under the HIPAA regulations, database service providers such as MongoDB are considered business associates. The Business Associate Addendum (BAA) is a MongoDB contract that is required under HIPAA regulations to ensure that MongoDB appropriately safeguards PHI. The BAA also serves to clarify and limit the permissible uses and disclosures of PHI by MongoDB.
Can my organization enter into a BAA with MongoDB?
Yes. MongoDB has a standard BAA that we present to customers for signature. Please contact us to begin the process.
Which services does a signed BAA with MongoDB cover?
The MongoDB BAA covers MongoDB Atlas.
Does having a BAA with MongoDB ensure my compliance with HIPAA?
It does not. The MongoDB BAA helps support your HIPAA compliance, but using MongoDB Atlas does not, on its own, achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and appropriate internal processes in place that align with HIPAA requirements.
Is MongoDB Atlas HIPAA certified?
It is important to note that there is no certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and MongoDB. MongoDB Atlas can be used to build HIPAA compliant applications (within the scope of a BAA) but customers are ultimately responsible for evaluating their own HIPAA compliance.
This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.