Establish HIPAA compliant ePHI data flows
HIPAA is US legislation providing data privacy and security provisions for safeguarding electronic protected health information (ePHI). On our Custom plan, Uploadcare can be configured to support HIPAA compliant workflow.
Let's cover what you can manage with Uploadcare in terms of HIPAA:
- Data encryption: all data is encrypted in transit.
- Access controls: you can provide minimum necessary access by using signed URLs.
- Request monitoring and auditing: we log all network requests (POST, GET, PUT, DELETE) along with system logs.
- Backup: all customer data is backed up, you can configure custom backup storage.
- Risk mitigation: when updating our infrastructure, we perform checks to assure ePHIs are not exposed to risks.
Please note the following:
- You must be using the Uploadcare Custom plan.
- You must execute a Business Associate Agreement to ensure the proper handling of ePHIs.
- You must authorize delivery of uploaded files with signed URLs for your HIPAA compliant Uploadcare accounts.
- You must use two-factor authentication for anybody who has access to your Uploadcare account.
- You can't use Video Processing or Document Conversion features with a HIPAA compliant Uploadcare project, since they are not covered by our BAA.
- You must configure a backup.
Now, let’s go on to the implementation steps.
Get an Uploadcare account
You will need an Uploadcare account, navigate here to sign up. Use an SSO or MFA authentication when setting up your account.
You can start with the free plan to explore the platform and set up your data flows without uploading ePHIs. To set up secure delivery, you're required to be on one of the paid plans.
To get started with Uploadcare, look through our docs.
Note, Uploadcare projects are separate environments that hold files and settings. You can configure Uploadcare to power up your web app areas that requires extra security.
Protect ePHI from unauthorized access
Signed URLs is a go-to feature when handling ePHIs.
By default, every uploaded file is available on our CDN. Signed URLs, once enabled, will require a token together with a URL to gain access to a file in your Uploadcare projects. Signatures must be generated on your backend.
Setting up signed URLs also requires a custom CNAME.
Control who and when uploads the files
This is optional.
To completely control who and when can upload data to your Uploadcare projects, navigate to your project settings and enable signed uploads. Once enabled, each upload request will have to be signed to be accepted by our system.
Back up your project
You can have all your stored files to be copied to a custom S3 bucket automatically. Connect the backup storage once, and the system will do backups on a timely basis.
Sign the BAA
Your HIPAA compliance will take effect only upon signing a Business Associate Agreement with Uploadcare. You can request one here.