Establish HIPAA compliant ePHI data flows

HIPAA is US legislation providing data privacy and security provisions for safeguarding electronic protected health information (ePHI). On our Custom plan, Uploadcare can be configured to support HIPAA compliant workflow.

Let's cover what you can manage with Uploadcare in terms of HIPAA:

  • Data encryption: all data is encrypted in transit.
  • Access controls: you can provide minimum necessary access by using signed URLs.
  • Request monitoring and auditing: we log all network requests (POST, GET, PUT, DELETE) along with system logs.
  • Backup: all customer data is backed up, you can configure custom backup storage.
  • Risk mitigation: when updating our infrastructure, we perform checks to assure ePHIs are not exposed to risks.

Please note the following:

Now, let’s go on to the implementation steps.

Get an Uploadcare account

You will need an Uploadcare account, navigate here to sign up. Use an SSO or MFA authentication when setting up your account.

You can start with the free plan to explore the platform and set up your data flows without uploading ePHIs. To set up secure delivery, you're required to be on one of the paid plans.

To get started with Uploadcare, look through our docs.

Note, Uploadcare projects are separate environments that hold files and settings. You can configure Uploadcare to power up your web app areas that requires extra security.

Protect ePHI from unauthorized access

Signed URLs is a go-to feature when handling ePHIs.

By default, every uploaded file is available on our CDN. Signed URLs, once enabled, will require a token together with a URL to gain access to a file in your Uploadcare projects. Signatures must be generated on your backend.

Setting up signed URLs also requires a custom CNAME.

Control who and when uploads the files

This is optional.

To completely control who and when can upload data to your Uploadcare projects, navigate to your [project settings][projects-settings-security] and enable Signed uploads. Once enabled, each upload request will have to be signed to be accepted by our system.

Back up your project

You can have all your stored files to be copied to a custom S3 bucket automatically. Connect the backup storage once, and the system will do backups on a timely basis.

Sign the BAA

Your HIPAA compliance will take effect only upon signing a Business Associate Agreement with Uploadcare. Contact our sales team to request one.