IBM Cloud Docs
Provisioning a HIPAA compliance instance

Provisioning a HIPAA compliance instance

Across every industry, organizations require tighter controls and visibility into where their data is stored and processed in the IBM Cloud®. To manage logs for HIPAA resources by using the IBM Log Analysis service, consider the following information:

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

HIPAA compliance is a shared responsibility. IBM only provides the security and the tools to ensure its cloud platform can be used without violating HIPAA rules. It is the responsibility of HIPAA-covered entities to ensure that cloud-based infrastructure and applications are not misconfigured, and that stored files are appropriately secured.

Step 1. Enable the HIPAA supported settings in your account

If you're the account owner, you can enable your IBM Cloud® account to be HIPAA supported. You might choose to enable the HIPAA Supported setting if you plan to include Protected Health Information (PHI) in HIPAA-enabled services.

The US Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act define standards for handling electronic healthcare transactions and information. If you or your company is a covered entity as defined by HIPAA, you must enable the HIPAA Supported setting if you run sensitive workloads that are regulated under HIPAA and the HITECH Act. Learn more about IBM Cloud compliance in Compliance on the IBM Cloud.

Enabling this setting has the following effects:

  • Enables you to filter on HIPAA Enabled services in the catalog
  • Indicates to IBM that your account stores protected health information (PHI)
  • Digitally accepts the IBM Business Associate Addendum (BAA) for covered entities

Enable this setting only if you or your company is a covered entity as defined by HIPAA. If you or your company is a business associate of a covered entity, contact IBM Cloud Sales to accept the applicable BAA. For more information about HIPAA definitions of covered entities and business associates, see the US Department of Health & Human Services website.

Accounts that enable the HIPAA Supported setting still have access to the full catalog of services.

Step 2. Provision your IBM Log Analysis instances with the HIPAA service plan

The HIPAA plan allows a maximum of 25 team members per instance. If you need to grant permissions to more than 25 users, open a support ticket.

Choose any of the following methods to provision an instance of the IBM Log Analysis service: Provisioning an instance through the Observability dashboard Provisioning an instance through the catalog Provisioning an instance through the CLI

Make sure that your naming convention for IBM Log Analysis instances does not include PII information. Choose the HIPAA service plan for your logging instances.

Step 3. Label your service (optional)

Set the tag HIPAA to the IBM Log Analysis instances that you provision in your account.

Complete the following steps:

  1. Log in to your IBM Cloud account.
  2. Click the Menu icon Menu icon > Resource List to view your list of resources.
  3. In the Services section, identify the instance that you want to tag.
  4. Click the Actions icon Actions icon. Select Add tags or Edit tags.
  5. Enter the tag HIPAA.
  6. Click Save.

Next steps

Restrict access to manage and view the data. Learn more .