BLOGAnnounced at MongoDB.local NYC 2024: A recap of all announcements and updates — Learn more >

Back to Trust CenterHIPAA

For organizations in healthcare and related fields subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), MongoDB Cloud is HIPAA-ready and enables covered entities and their business associates to use a secure cloud database environment to process, maintain, and store protected health information (PHI).

Existing customers can request documentation here. Prospective customers, please contact us.


What is HIPAA?

HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information. Specifically, HIPAA requires compliance with the following:

  •  Privacy Rule: National standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
  •  Security Rule: National standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically.
  •  Breach Notification Rule: Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Who does HIPAA apply to?

HIPAA applies to organizations that are considered HIPAA-covered entities, including healthcare providers, health plans, and healthcare clearinghouses. However, most health care providers and health plans do not work in isolation and often use the services of a variety of other persons or businesses. HIPAA also requires covered entities that work with these HIPAA “business associates” to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.

What is a Business Associate Addendum (BAA)?

Under the HIPAA regulations, database service providers such as MongoDB are considered business associates. The Business Associate Addendum (BAA) is a MongoDB contract that is required under HIPAA regulations to ensure that MongoDB appropriately safeguards PHI. The BAA also serves to clarify and limit the permissible uses and disclosures of PHI by MongoDB. Connect with our Sales team to request a BAA.

Can my organization enter into a BAA with MongoDB?

Yes. MongoDB has a standard BAA that we present to customers for signature. Please connect with our Sales team to begin the process.

Which services does a signed BAA with MongoDB cover?

The MongoDB BAA covers MongoDB Atlas, Atlas App Services, MongoDB Charts, Atlas Serverless, Cloud Manager, and MongoDB Atlas Data Lake. Any products or features that are in beta, preview, or similar are not in scope.

Does having a BAA with MongoDB ensure my compliance with HIPAA?

It does not. The MongoDB BAA helps support your HIPAA compliance, but using MongoDB Cloud does not, on its own, achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and appropriate internal processes in place that align with HIPAA requirements.

Is MongoDB Cloud HIPAA certified?

It is important to note that there is no certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and MongoDB. MongoDB Cloud can be used to build HIPAA compliant applications (within the scope of a BAA) but customers are ultimately responsible for evaluating their own HIPAA compliance.

Has MongoDB Cloud been examined for HIPAA compliance?

Yes. MongoDB has undertaken an Independent Practitioner's Report assessing its compliance with requirements of the Health Insurance Portability and Accountability Act ("HIPAA") Security Standards for the Protection of Electronic Protected Health Information ("HIPAA Security Rule"), and the Notification in the Case of Breach of Unsecured Protected Health Information enacted as part of the American Recovery and Reinvestment Act of 2009 ("HITECH Breach Notification Requirements").

The report finds that MongoDB's description of its information security program "fairly presents the information security program supporting MongoDB Cloud that was provided to user entities, as of September 30, 2020", and "the information security program conformed to the applicable implementation specifications within the HIPAA Security Rule and the HITECH Breach Notification Requirements, as described in Part 164 of CFR 45, as of September 30, 2020."

Who performed the examination of MongoDB Cloud?

Schellman and Company, LLC performed the examination and authored the Independent Practitioner's Report on the Information Security and Privacy Program for the MongoDB Cloud System Related to HIPAA and HITECH.

Is a copy of the Independent Practitioner's Report available?

Yes, a copy of the report is available to organizations that have completed an NDA with MongoDB. Existing customers can request documentation here. Prospective customers, please contact us.

This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.

View our other compliance offerings