HIPAA compliance features
Important
If you are an existing HIPAA customer and your account is not on the E2 version of the Databricks platform, and you need to create and verify a cluster for legacy HIPAA support, see Create and verify a cluster for legacy HIPAA support.
HIPAA compliance features requires enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Enable the compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled.
To use the compliance security profile, your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.
This feature requires your account to be on the Enterprise pricing tier.
Which compute resources get enhanced security
The compliance security profile enhancements apply to compute resources in the classic data plane, such as clusters and non-serverless SQL warehouses. This applies in all regions.
Serverless SQL warehouse support for the compliance security profile varies by region. See Serverless SQL warehouses support the compliance security profile in some regions.
HIPAA Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) and the regulations issued under HIPAA are a set of US healthcare laws. Among other provisions, these laws establish requirements for the use, disclosure, and safeguarding of protected health information (PHI).
HIPAA applies to covered entities and business associates that create, receive, maintain, transmit, or access PHI. When a covered entity or business associate engages the services of a cloud service provider (CSP), such as Databricks, the CSP becomes a business associate under HIPAA.
HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates will protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.
Does Databricks permit the processing of PHI data on Databricks?
Databricks permits the processing of PHI data under the condition of a signed BAA agreement with Databricks. Contact your Databricks representative for more information.
Configure your account and workspace for HIPAA on E2
If you are an existing HIPAA customer and your account is not on the E2 version of the Databricks platform:
You must contact your Databricks representative to upgrade your account to the E2 version of the platform.
Note that the E2 platform is a multi-tenant platform and your choice to deploy HIPAA on E2 will be treated as a waiver of any provision in your contract that would be in conflict with our ability to provide you HIPAA on E2.
If you are an existing HIPAA customer and your workspace is not on the E2 version of the Databricks platform, to create a cluster, see the article Create and verify a cluster for legacy HIPAA support.
When ordering, you have the option to enable HIPAA compliance features across all workspaces on an account, or only on individual workspaces.
To configure your account or workspace to support processing of data regulated by the HIPAA standard, the workspace must have the compliance security profile enabled. One of the steps to enable it includes contacting your Databricks representative. You will receive additional information and agreements to sign. Note that enabling HIPAA compliance features for an account or workspace is permanent and cannot be removed later.
After your Databricks account is enabled for HIPAA on E2, workspaces in the account have HIPAA compliance features for all E2 regions. To deploy a workspace without HIPAA compliance features, you must create a separate Databricks account.
Important
You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in Databricks online documentation does not constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.
Databricks does not support the use of preview features for the processing of PHI on the HIPAA on E2 platform, with the exception of the features listed in Preview features that are supported for processing of PHI data.