BLOGAnnounced at MongoDB.local NYC 2024: A recap of all announcements and updates — Learn more >
Back to Trust CenterHITRUST

The Health Information Trust Alliance (HITRUST) Common Security Framework is a guide to regulatory compliance and risk management for the healthcare industry.

MongoDB maintains a SOC 2 + HITRUST certification report, mapping MongoDB’s SOC 2 Type II controls to the 75 required HITRUST controls for certification. MongoDB’s cloud services are not HITRUST CSF certified, but our SOC 2 + HITRUST certification report covers all applicable HITRUST CSF controls.


What is HITRUST?

The Health Information Trust Alliance (HITRUST) is a privately held company located in the United States that, in collaboration with healthcare industry representatives, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. HITRUST CSF is built on the concepts of the ISO 27001, SOC 2 Type II (Confidentiality, Availability and Security Principles) and HIPAA regulations.

How does HITRUST relate to HIPAA?

HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information. Complying with HIPAA is a shared responsibility between a healthcare organization and any of its suppliers connected to medical information (for example, MongoDB). There is no official certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance.

HITRUST CSF is an independent security and compliance framework that is based in part on the HIPAA regulations. HITRUST CSF is one way of assessing HIPAA compliance, but it is not the only way. HITRUST CSF certification on its own also does not guarantee HIPAA compliance; you should evaluate your controls against HIPAA requirements. Learn more about HITRUST and HIPAA.

MongoDB’s cloud products are HIPAA Ready and have been examined by an independent auditor for compliance with HIPAA regulations. Learn more about MongoDB and HIPAA.

Is MongoDB Atlas HITRUST CSF certified?

No. Instead of pursuing HITRUST CSF Certification, MongoDB has opted for a SOC 2 + HITRUST certification report for MongoDB’s cloud services, issued by an independent auditor. This report maps the controls of MongoDB’s SOC 2 Type II report to the HITRUST CSF.

Mapping requirements between SOC 2 and HITRUST is an approach recommended by both AICPA (SOC) and HITRUST. Read more.

Who conducted the SOC 2 + HITRUST evaluation of MongoDB Atlas?

Schellman & Company, LLC. Schellman is both a CPA and HITRUST CSF qualified assessor company.

What services are in scope for the SOC 2 + HITRUST certification report?

MongoDB Atlas, Atlas Data Lake, Realm, Atlas Serverless, Cloud Manager, and Charts.

Is a copy of MongoDB’s SOC 2 + HITRUST certification report available?

Yes, a copy of the report is available to organizations that have completed an NDA with MongoDB.

Existing customers can request documentation here. Prospective customers, please contact us.

This page is for informational purposes only, and MongoDB does not intend the information or recommendations presented here to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of MongoDB's services as appropriate to support its legal and compliance obligations.

View our other compliance offerings

Ready to get started?

Launch a new app or migrate to MongoDB Atlas with zero downtime
Start with 512MB FreeContact