The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that sets national standards for protecting the privacy and security of protected health information (PHI). It includes rules that govern how Covered Entities and their Business Associates use, disclose, protect, and provide access to PHI across electronic, paper, and oral formats.
Under HIPAA:
MongoDB is a Business Associate, meaning an entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity.
MongoDB's customers are usually Covered Entities, such as healthcare providers, health plans, or healthcare clearinghouses, that create, receive, maintain, or transmit PHI, but MongoDB's customers can also be Business Associates.
Protected Health Information (PHI) is any individually identifiable health information held by a Covered Entity or Business Associate, including, for example, names, addresses, Social Security numbers, medical records, test results, and insurance information.
HIPAA establishes the following core rules for compliance:
Privacy Rule: governs how protected health information (PHI) can be used and disclosed, and gives individuals rights over their health information
Security Rule: governs how Covered Entities and their Business Associates must protect individuals' electronic personal health information (ePHI)
Breach Notification Rule: governs how Covered Entities and their Business Associates provide notification following a breach of unsecured PHI
We understand that HIPAA compliance is a shared responsibility between MongoDB, you, and your end customers. The following sections describe how MongoDB Atlas features can support your compliance with these core HIPAA rules.
Important
To learn more about MongoDB's privacy and data protection program, including information on our Data Processing Agreement, see:
MongoDB has completed an independent assessment of its HIPAA Security Rule compliance. To obtain a copy of the independent practitioner's report:
Existing customers can request a copy through the Customer Trust Portal
Prospective customers can request access by contacting the MongoDB Sales team
Connect with our Sales team to request a Business Associate Agreement (BAA). To learn more, see the HIPAA and Atlas For Government page in the MongoDB Trust Center.
Privacy Rule
MongoDB Atlas provides features that support compliance for the Privacy Rule:
Individual Right of Access and Record Rectification
The Privacy Rule gives individuals rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections where appropriate.
The following MongoDB Atlas features support compliance in this area:
The Atlas UI and MongoDB Drivers allow authorized users to securely connect to your MongoDB Atlas deployment and view, create, update, or delete documents containing an individual's PHI in accordance with your policies.
Atlas's robust query capabilities enable authorized users to locate and retrieve an individual's PHI using rich filters and aggregation capabilities.
Data Retention and Secure Disposal
The Privacy Rule sets standards for how Covered Entities should protect PHI throughout its lifecycle, including when PHI is no longer needed and must be securely disposed of.
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Backups: Create backups of your data for recovery purposes during its retention period, enable compliance policies to prevent backups from being modified or deleted, and securely delete backups when they are no longer needed.
Guidance for Atlas Data Encryption: Use encryption features to protect PHI at rest, in transit, and in use throughout its lifecycle, including when it is being deleted.
Minimum Necessary Standard (Data Minimization)
The Privacy Rule's minimum necessary standard is the principle that Covered Entities must take reasonable steps to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Auditing and Logging: Monitor, record, and review database events such as user authentication attempts and permission adjustments that impact access to PHI.
Guidance for Atlas Data Encryption: Apply encryption in use techniques like Client-Side Field Level Encryption (CSFLE) and Queryable Encryption to limit exposure of sensitive PHI data to only authorized application components and users.
Security Rule
MongoDB Atlas provides features that support compliance for the Security Rule:
Encryption and Transmission Security
The Security Rule sets standards for how Covered Entities must ensure the confidentiality, integrity, and availability of ePHI, including by implementing technical security measures guarding against unauthorized access to ePHI that is being transmitted over an electronic network.
The following MongoDB Atlas Architecture Center article describes Atlas features that support compliance in this area:
Guidance for Atlas Data Encryption: Ensure data encryption in transit (TLS), at rest (AES-256, BYOK, CMK, KMS, or TDE), and in use (CSFLE, random encryption, or queryable encryption).
Guidance for Atlas Network Security: Safeguard network access to Atlas clusters and protect ePHI during transmission with encryption in transit, IP access lists, firewall configurations, private endpoints, and network isolation.
Access Control
The Security Rule requires that only authorized personnel have access to ePHI.
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Authentication: Implement access control and user authentication to protect ePHI through secure identity management, including support for Federated Authentication with IdPs, AWS IAM role authentication, multi-factor authentication (MFA), and more.
Guidance for Atlas Authorization: Implement workforce security, information access management, and assigned security responsibility to ensure that only authorized personnel can access ePHI based on their specific job functions and responsibilities.
Breach Notification Rule
MongoDB Atlas provides features that support compliance for the Breach Notification Rule:
Auditing and Information System Activity Review
The Breach Notification Rule asks Covered Entities and Business Associates to implement mechanisms that record and examine activity in information systems containing or using ePHI.
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas Auditing and Logging: Monitor, record, and review database events such as user authentication attempts and permission adjustments.
Guidance for Atlas Monitoring and Alerts: Track cluster health, performance, and operational metrics, and configure alerts that can surface anomalous activity relevant to ePHI.
You can also leverage Atlas Stream Processing to build custom data processing pipelines on top of real-time data streams including Kafka topics, Kinesis, and Atlas Change Streams, a native MongoDB feature that exposes an ordered stream of change events (insert, update, delete, etc.) from your MongoDB collections, databases, or clusters. You can integrate Atlas Stream Processing with third-party monitoring and logging tools to create a comprehensive view of system activity for your applications that process ePHI.
Breach Notification and Incident Response
The Breach Notification Rule sets standards for how Covered Entities and Business Associates should provide notification following a breach of unsecured PHI.
Third-Party Integrations with SIEM tools like PagerDuty, Microsoft Teams, and Prometheus, support alert routing, on-call notification, and coordinated incident response workflows.
Contingency Planning: High Availability and Disaster Recovery
MongoDB Atlas provides features that support contingency planning to ensure the availability and recoverability of ePHI in the event of an emergency or other event that damages systems containing ePHI.
The following MongoDB Atlas Architecture Center articles describe Atlas features that support compliance in this area:
Guidance for Atlas High Availability: Create cluster configurations that meet your availability needs and expedite recovery from disasters through automated failover and data replication.
Guidance for Atlas Backups: Create and manage backups of your Atlas clusters to meet your RPO and RTO goals.
Guidance for Atlas Disaster Recovery: Create a disaster recovery plan with steps to take if you experience an outage, accidental deletion of prod data, and more.