Code42 and HIPAA compliance

Last updated
Save as PDF

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon

Incydr Basic, Advanced, and Gov F1

CrashPlan Cloud

CrashPlan for Small Business

Retired product plans

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, yes.

Retired product plans, yes.

CrashPlan for Small Business, yes.

Overview

Incydr, Code42 for Enterprise, and CrashPlan for Small Business can support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as long as you follow proper policies and procedures. This article outlines your options for using Code42 products to support HIPAA compliance. For more information about Code42's multi-layered approach to securing your data, visit the Compliance section of www.code42.com.

Options for supporting HIPAA

You must sign a Business Associate Agreement (BAA) with Code42 before your Code42 environment can be seen as supporting HIPAA compliance. You can pursue a BAA at any time, whether you are an existing customer seeking support to meet HIPAA compliance needs or a new customer who wants to have a BAA as you begin using Code42's products.

Your company is responsible for developing and enforcing your own policies for using Code42 products in a HIPAA-supporting manner.

Basic HIPAA compliance

Use the standard Incydr, Code42 for Enterprise, or CrashPlan for Small Business configuration
The only requirement to support HIPAA compliance is to have encryption enabled. Encryption is enabled by default for new customers.

Enabling encryption (if it was previously disabled)
Existing Code42 customers may have previously disabled encryption when that option was available in the Code42 console. If you previously disabled encryption, use the API to set encryptionEnabled to "true" to enable it for HIPAA compliance. For help, contact Code42 about engaging Code42's Professional Services team.

More stringent HIPAA compliance (Incydr and Code42 for Enterprise only)

Option 1: Activate Compliance Settings in your Code42 console (Code42 for Enterprise only)
- Automatically configures a number of settings at once to restrict access to backed-up files.
- Requires Code42 server version 5.4 or later.
- Not compatible with Incydr, Legal Hold, File Search, or user file activity monitoring features.
Compliance Settings and HIPAA
Note that Compliance Settings goes beyond what Code42 requires to support compliance with HIPAA. Use these options if your Code42 environment requires more control over backup data.

Compliance Settings are for backup-only Code42 environments
Incydr's file activity monitoring and insider risk detection capabilities are not supported if you enable Compliance Settings.
Option 2: Configure your settings manually to enhance access restrictions
- Available for all Code42 server versions.
- Compatible with Legal Hold, File Search or Forensic Search, and user file activity monitoring features, depending on the settings you select in your manual configuration.
- If you choose to manually configure your on-premises Code42 environment, see Configure on-premises Code42 environments for use with HIPAA (Code42 server version 6.x and later). For Incydr and Code42 environments in the cloud, contact sales about engaging Code42's Professional Services team for help with manual configurations to support HIPAA.
- Recommendations for supporting HIPAA with a manual configuration:
  - Store your encryption keys in an on-premises server or in an external keystore.
  - Assign user roles to prevent unauthorized restoration of data.
  - Monitor logs for changes to user roles, user creation, and user deactivation.
  - Restrict visibility of backup data to only users and administrators authorized to view ePHI.

Additional help

The following information provides additional resources to help you with HIPAA compliance.

Incydr and Code42 for Enterprise customers

Contact sales to engage Code42's Professional Services team if you have questions on how to:

Obtain a BAA with Code42
Manually configure your Incydr or Code42 for Enterprise deployment to support HIPAA
Audit user or file activity with the Code42 API

CrashPlan for Small Business customers

If you would like to obtain a BAA, contact our Customer Champions.

Interested in Code42's products?

If you are new to Code42, contact Incydr and Code42 for Enterprise sales to get started.

External resources

For a detailed explanation of HIPAA requirements, please reference the following resources from the U.S. Department of Health & Human Services: