HIPAA is US legislation providing data privacy and security provisions for safeguarding electronic protected health information (ePHI). On our Custom plan, Uploadcare can be configured to support HIPAA compliant workflow.
Let's cover what you can manage with Uploadcare in terms of HIPAA:
- Data encryption: all data is encrypted in transit.
- Access controls: you can provide minimum necessary access by using signed URLs.
- Request monitoring and auditing: we log all network requests (POST, GET, PUT, DELETE) along with system logs.
- Backup: all customer data is backed up, you can configure custom backup storage.
- Risk mitigation: when updating our infrastructure, we perform checks to assure ePHIs are not exposed to risks.
Please note the following:
- You must be using the Uploadcare Custom plan.
- You must execute a Business Associate Agreement to ensure the proper handling of ePHIs.
- You must authorize delivery of uploaded files with signed URLs for your HIPAA compliant Uploadcare accounts.
- You must use two-factor authentication for anybody who has access to your Uploadcare account.
- You can't use Video Processing or Document Conversion features with a HIPAA compliant Uploadcare project, since they are not covered by our BAA.
- You must configure a backup.
Now, let’s go on to the implementation steps.
You will need an Uploadcare account, navigate here to sign up. Use an SSO or MFA authentication when setting up your account.
To get started with Uploadcare, look through our docs.
Note, Uploadcare projects are separate environments that hold files and settings. You can configure Uploadcare to power up your web app areas that requires extra security.
Signed URLs is a go-to feature when handling ePHIs.
By default, every uploaded file is available on our CDN. Signed URLs, once enabled, will require a token together with a URL to gain access to a file in your Uploadcare projects. Signatures must be generated on your backend.
Setting up signed URLs also requires a custom CNAME.
This is optional.
To completely control who and when can upload data to your Uploadcare projects, navigate to your project settings and enable Signed uploads. Once enabled, each upload request will have to be signed to be accepted by our system.
You can have all your stored files to be copied to a custom S3 bucket automatically. Connect the backup storage once, and the system will do backups on a timely basis.
Your HIPAA compliance will take effect only upon signing a Business Associate Agreement with Uploadcare. Contact our sales team to request one.