The Health Information Trust Alliance (HITRUST) Common Security Framework is a guide to regulatory compliance and risk management for the healthcare industry.
MongoDB maintains a SOC 2 + HITRUST certification report, mapping MongoDB’s SOC 2 Type II controls to the 75 required HITRUST controls for certification. MongoDB’s cloud services are not HITRUST CSF certified, but our SOC 2 + HITRUST certification report covers all applicable HITRUST CSF controls.
HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information. Complying with HIPAA is a shared responsibility between a healthcare organization and any of its suppliers connected to medical information (for example, MongoDB). There is no official certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance.
HITRUST CSF is an independent security and compliance framework that is based in part on the HIPAA regulations. HITRUST CSF is one way of assessing HIPAA compliance, but it is not the only way. HITRUST CSF certification on its own also does not guarantee HIPAA compliance; you should evaluate your controls against HIPAA requirements. Learn more about HITRUST and HIPAA.
MongoDB’s cloud products are HIPAA Ready and have been examined by an independent auditor for compliance with HIPAA regulations. Learn more about MongoDB and HIPAA.
No. Instead of pursuing HITRUST CSF Certification, MongoDB has opted for a SOC 2 + HITRUST certification report for MongoDB’s cloud services, issued by an independent auditor. This report maps the controls of MongoDB’s SOC 2 Type II report to the HITRUST CSF.
Mapping requirements between SOC 2 and HITRUST is an approach recommended by both AICPA (SOC) and HITRUST. Read more.
Yes, a copy of the report is available to organizations that have completed an NDA with MongoDB.
Existing customers can request documentation here. Prospective customers, please contact us.
This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.
Launch a new app or migrate to MongoDB Atlas with zero downtime