Skip to main content
Code42 Support

Code42 and HIPAA compliance

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

Code42 for Enterprise can support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as long as you do so according to proper policies and procedures. This article outlines your options for using Code42 for Enterprise to support HIPAA compliance. To read about Code42 for Enterprise's multi-layered approach to securing your data, see our white papers on Code42 for Enterprise security.

Options for supporting HIPAA

You have three options for supporting HIPAA compliance with your Code42 environment. No matter which option you choose, you must sign a Business Associate Agreement (BAA) with Code42 before your Code42 environment can be seen as supporting HIPAA compliance. Your company is responsible for developing and enforcing your own policies for using Code42 for Enterprise in a HIPAA-supporting manner. Here are the three options: 

  • Use the standard Code42 for Enterprise configuration.
  • Activate Compliance Settings in your administration console.
    • Automatically configures a number of settings at once to restrict access to backed-up files.
    • Requires Code42 server version 5.4 or later.
    • Not compatible with the Legal Hold, File Search, and Security Center web apps.
  • Configure your settings manually to enhance access restrictions.
    • Available for all Code42 server versions.
    • Compatible with the Legal Hold, File Search, and Security Center web apps, depending on the settings you select in your manual configuration.
    • If you choose to manually configure your Code42 environment, see Configure Code42 for use with HIPAA (Code42 server version 6.x) or Configure CrashPlan for use with HIPAA (Code42 server version 5.x).
    • Recommendations for supporting HIPAA with a manual configuration:
      • Store your encryption keys in an on-premises authority server or in an external keystore.
      • Assign user roles to prevent unauthorized restoration of data.
      • Monitor logs for changes to user roles, user creation, and user deactivation.
      • Restrict visibility of backup data to only users and administrators authorized to view ePHI.

Additional help

If you are new to Code42 for Enterprise, contact our sales team to get started.

If you already have a Code42 for Enterprise deployment, contact sales to engage your Code42 PRO Services representative if you have questions on how to:

External resources

For a detailed explanation of HIPAA requirements, please reference the following resources from the U.S. Department of Health & Human Services:

  • Was this article helpful?