CrashPlan and HIPAA compliance

Updated

Overview

CrashPlan can support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as long as you follow proper policies and procedures. This article outlines your options for using CrashPlan products to support HIPAA compliance. For more information about CrashPlan's multi-layered approach to securing your data, see our Security, Privacy, and Compliance resources.

Options for supporting HIPAA

You must sign a Business Associate Agreement (BAA) with CrashPlan before your CrashPlan environment can be seen as supporting HIPAA compliance. You can pursue a BAA at any time, whether you are an existing customer seeking support to meet HIPAA compliance needs or a new customer who wants to have a BAA as you begin using CrashPlan's products.

Your company is responsible for developing and enforcing your own policies for using CrashPlan products in a HIPAA-supporting manner.

Obtaining a Business Associate Agreement (BAA)

There are three ways customers can sign a BAA with CrashPlan, depending on your account type and how your subscription is purchased:

  • Online Purchases: If you manage your subscription directly online, please contact our technical support team to obtain a BAA.
  • New Sales Customers: If you are a new customer looking to purchase through our sales team, please submit a request via our contact sales form.
  • Existing Sales Customers: If you are an existing customer whose account is managed by our sales team, please reach out directly to your Account Representative to obtain a BAA.

Engaging Professional Services

For non-BAA HIPAA-related configuration or auditing tasks, our Professional Services team is available to help during or after your deployment. Please work with your Account Representative to engage them. Examples of when to engage Professional Services include needing help to:

  • Manually configure your CrashPlan deployment to support HIPAA.
  • Audit user or file activity with the CrashPlan API.

Basic HIPAA compliance

The only requirement to support HIPAA compliance is to have encryption enabled. All CrashPlan backups are encrypted by default, so no additional configuration is required.

More stringent HIPAA compliance

  • Option 1: Configure your settings manually to enhance access restrictions
    • Compatible with Legal Hold features, depending on the settings you select in your manual configuration.
    • Recommendations for supporting HIPAA with a manual configuration:
      • Store your encryption keys in an on-premises server or in an external keystore.
      • Assign user roles to prevent unauthorized restoration of data.
      • Monitor logs for changes to user roles, user creation, and user deactivation.
      • Restrict visibility of backup data to only users and administrators authorized to view ePHI.
  • Option 2: Activate Compliance Settings in your CrashPlan console
    Note: Compliance Settings goes beyond what CrashPlan requires to support compliance with HIPAA.
    • Automatically configures a number of settings at once to restrict access to backed-up files.
    • Provides peace of mind with a permanent, irreversible configuration, ensuring your organization remains in a compliance-supporting state without the need for continuous monitoring.
    • Not compatible with Legal Hold features.
Was this article helpful?
0 out of 2 found this helpful