Under the HIPAA regulations, cloud service providers (CSPs) such as DigitalOcean are considered business associates. The Business Associate Agreement (BAA) is a contract that is required under HIPAA that outlines the obligations the Business Associate and Covered Entity assume to safeguard protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by DigitalOcean, based on the relationship between DigitalOcean and our customers, and the activities or services being performed by DigitalOcean.

Yes. DigitalOcean has a standard Business Associate Agreement (BAA) we present to customers. The document takes into account DigitalOcean’s covered services and is in alignment with DigitalOcean’s Shared Responsibility Model.

The Business Associate Agreement is generally non-negotiable.

There is no such thing as a HIPAA certification for CSPs like DigitalOcean. Select DigitalOcean Covered Products have been built with HIPAA in mind.

You should only process, store, and transmit ePHI on the DigitalOcean Covered Products. For the latest list of Covered Products, please visit our HIPAA Information Site.

Under the Shared Responsibility Model, DigitalOcean remains responsible for the Security OF the Cloud. Our customers, including those processing HIPAA workloads on DigitalOcean Covered Products, remain responsible for the privacy and security of their workloads and data IN their Cloud instance.

DigitalOcean remains committed to providing the fast response times to all customers, particularly those running the most sensitive workloads. With Standard or Premium Support, technical staff with the appropriate experience are able to provide quick, consistent troubleshooting assistance to customers hosting HIPAA workloads on Covered Products.

Customers are encouraged to consult with legal counsel to determine if a BAA is appropriate for their individual circumstances and processing needs.