CrashPlan for Enterprise and CrashPlan for Small Business can support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as long as you follow proper policies and procedures. This article outlines your options for using CrashPlan products to support HIPAA compliance. For more information about CrashPlan's multi-layered approach to securing your data, visit the Compliance section of www.crashplan.com.
Options for supporting HIPAA
You must sign a Business Associate Agreement (BAA) with CrashPlan before your CrashPlan environment can be seen as supporting HIPAA compliance. You can pursue a BAA at any time, whether you are an existing customer seeking support to meet HIPAA compliance needs or a new customer who wants to have a BAA as you begin using CrashPlan's products.
Your company is responsible for developing and enforcing your own policies for using CrashPlan products in a HIPAA-supporting manner.
Basic HIPAA compliance
Use the standard CrashPlan configuration
The only requirement to support HIPAA compliance is to have encryption enabled. Encryption is enabled by default for new customers.
Enabling encryption (if it was previously disabled)
Existing CrashPlan customers may have previously disabled encryption when that option was available in the CrashPlan console. If you previously disabled encryption, use the API to set
encryptionEnabled to "true" to enable it for HIPAA compliance. For help, contact CrashPlan about engaging CrashPlan's Professional Services team.
More stringent HIPAA compliance (CrashPlan for Enterprise only)
- Option 1: Activate Compliance Settings in your CrashPlan console (CrashPlan for Enterprise only)
- Automatically configures a number of settings at once to restrict access to backed-up files.
- Not compatible with Legal Hold features.
Compliance Settings and HIPAA
Note that Compliance Settings goes beyond what CrashPlan requires to support compliance with HIPAA. Use these options if your CrashPlan environment requires more control over backup data.
- Option 2: Configure your settings manually to enhance access restrictions
- Compatible with Legal Hold features, depending on the settings you select in your manual configuration.
- Contact sales about engaging CrashPlan's Professional Services team for help with manual configurations to support HIPAA.
- Recommendations for supporting HIPAA with a manual configuration:
- Store your encryption keys in an on-premises server or in an external keystore.
- Assign user roles to prevent unauthorized restoration of data.
- Monitor logs for changes to user roles, user creation, and user deactivation.
- Restrict visibility of backup data to only users and administrators authorized to view ePHI.
The following information provides additional resources to help you with HIPAA compliance.
CrashPlan for Enterprise customers
Contact sales to engage CrashPlan's Professional Services team if you have questions on how to:
- Obtain a BAA with CrashPlan
- Manually configure your CrashPlan for Enterprise deployment to support HIPAA
- Audit user or file activity with the CrashPlan API
CrashPlan for Small Business customers
If you would like to obtain a BAA, contact our technical support team.
Interested in CrashPlan's products?
If you are new to CrashPlan, contact sales to get started.