Code42 and HIPAA compliance

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, yes.

Overview

Code42 for Enterprise and CrashPlan for Small Business can support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as long as you follow proper policies and procedures. This article outlines your options for using Code42 for Enterprise and CrashPlan for Small Business to support HIPAA compliance. To read about Code42 for Enterprise's multi-layered approach to securing your data, see our white papers on Code42 for Enterprise security.

Options for supporting HIPAA

You must sign a Business Associate Agreement (BAA) with Code42 before your Code42 environment can be seen as supporting HIPAA compliance. You can pursue a BAA at any time, whether you are an existing customer seeking support to meet HIPAA compliance needs or a new customer who wants to have a BAA as you begin using Code42 for Enterprise or CrashPlan for Small Business.

Your company is responsible for developing and enforcing your own policies for using Code42 for Enterprise or CrashPlan for Small Business in a HIPAA-supporting manner. There are three options to support HIPAA compliance.

Basic HIPAA compliance

Use the standard Code42 for Enterprise or CrashPlan for Small Business configuration
The only requirement to support HIPAA compliance is to have encryption enabled (enabled by default).

More stringent HIPAA compliance (Code42 for Enterprise only)

Option 1: Activate Compliance Settings in your Code42 console
- Automatically configures a number of settings at once to restrict access to backed-up files.
- Requires Code42 server version 5.4 or later.
- Not compatible with Legal Hold, File Search, or user file activity monitoring features.
Option 2: Configure your settings manually to enhance access restrictions
- Available for all Code42 server versions.
- Compatible with Legal Hold, File Search or Forensic Search, and user file activity monitoring features, depending on the settings you select in your manual configuration.
- If you choose to manually configure your Code42 environment, see Configure Code42 for use with HIPAA (Code42 server version 6.x and later) or Configure Code42 for use with HIPAA (Code42 cloud).
- Recommendations for supporting HIPAA with a manual configuration:
  - Store your encryption keys in an on-premises authority server or in an external keystore.
  - Assign user roles to prevent unauthorized restoration of data.
  - Monitor logs for changes to user roles, user creation, and user deactivation.
  - Restrict visibility of backup data to only users and administrators authorized to view ePHI.

Additional help

The following information provides additional resources to help you with HIPAA compliance.

New to Code42

If you are new to Code42, contact one of our sales teams to get started:

Existing Code42 for Enterprise customers

If you already have a Code42 for Enterprise deployment, contact sales to engage your Code42 PRO Services representative if you have questions on how to:

Obtain a BAA with Code42
Manually configure your Code42 for Enterprise deployment to support HIPAA
Audit user or file activity with the Code42 API

Existing CrashPlan for Small Business customers

If you are already a CrashPlan for Small Business customer and would like to obtain a BAA, contact our Customer Champions.

External resources

For a detailed explanation of HIPAA requirements, please reference the following resources from the U.S. Department of Health & Human Services: