HIPAA compliance features

Important

If you are an existing HIPAA customer and your account is not on the E2 version of the Databricks platform, and you need to create and verify a cluster for legacy HIPAA support, see Create and verify a cluster for legacy HIPAA support.

HIPAA compliance features requires enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Enable the compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled.

To use the compliance security profile, your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.

This feature requires your account to be on the Enterprise tier.

The data plane enhancements that are discussed in this document apply only to the Classic data plane in your AWS account. The additional security controls and monitoring do not apply to Serverless Compute, which runs compute resources in the shared Serverless data plane in the Databricks account. For example, these new controls apply to pro and classic SQL warehouses, but do not apply to serverless SQL warehouses.

HIPAA Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) and the regulations issued under HIPAA are a set of US healthcare laws. Among other provisions, these laws establish requirements for the use, disclosure, and safeguarding of protected health information (PHI).

HIPAA applies to covered entities and business associates that create, receive, maintain, transmit, or access PHI. When a covered entity or business associate engages the services of a cloud service provider (CSP), such as Databricks, the CSP becomes a business associate under HIPAA.

HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates will protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.

Does Databricks permit the processing of PHI data on Databricks?

Databricks permits the processing of PHI data under the condition of a signed agreement. Contact your Databricks representative for more information.

Configure your account and workspace for HIPAA on E2

If you are an existing HIPAA customer and your account is not on the E2 version of the Databricks platform:

  • You must contact your Databricks representative to upgrade your account to the E2 version of the platform.

  • Note that the E2 platform is a multi-tenant platform and your choice to deploy HIPAA on E2 will be treated as a waiver of any provision in your contract that would be in conflict with our ability to provide you HIPAA on E2.

When ordering, you have the option to enable HIPAA compliance features across all workspaces on an account, or only on individual workspaces

To configure your account or workspace to support processing of data regulated by the HIPAA standard, the workspace must have the compliance security profile enabled. One of the steps to enable it includes contacting your Databricks representative. You will receive additional information and agreements to sign. Note that enabling HIPAA compliance features for an account is permanent and cannot be removed later.

After your Databricks account is enabled for HIPAA on E2, workspaces in the account have HIPAA compliance features for all E2 regions. To deploy a workspace without HIPAA compliance features, you must create a separate Databricks account.

Important

  • You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in Databricks online documentation does not constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.

  • Databricks does not support the use of preview features for the processing of PHI on the HIPAA on E2 platform, with the exception of the features listed in Preview features that are supported for processing of PHI data.

Shared responsibility of HIPAA compliance

Complying with HIPAA has three major areas, with different responsibilities. While each party has numerous responsibilities, below we enumerate key responsibilities of ours, along with your responsibilities.

This article use the Databricks terminology control plane and a data plane, which are two main parts of how Databricks works:

  • The Databricks control plane includes the backend services that Databricks manages in its own AWS account.

  • The data plane is where your data lake is processed. The Classic data plane includes an AWS VPC in your AWS account, and clusters of compute resources to process your notebooks, jobs, and pro or classic SQL warehouses.

    Important

    For workspaces with HIPAA compliance features enabled, data plane refers to the Classic data plane in your own AWS account. As of this release, Serverless compute features are disabled on a workspace with HIPAA compliance features enabled.

Key responsibilities of AWS include:

  • Perform its obligations as a business associate under your BAA with AWS.

  • Provide you the EC2 machines under your contract with AWS that support HIPAA compliance.

  • Provide hardware-accelerated encryption at rest and in-transit encryption within the AWS Nitro Instances that is adequate under HIPAA.

  • Delete encryption keys and data when Databricks releases the EC2 instances.

Key responsibilities of Databricks include:

  • Encrypt in-transit PHI data that is transmitted to or from the control plane.

  • Encrypt PHI data at rest in the control plane

  • Limit the set of instance types to the AWS Nitro instance types that enforce in-transit encryption and encryption at rest. For the list of supported instance types, see AWS Nitro System and HIPAA compliance features. Databricks limits the instance types both in the account console and through the API.

  • Deprovision EC2 instances when you indicate in Databricks that they are to be deprovisioned, for example auto-termination or manual termination, so that AWS can wipe them.

Key responsibilities of yours:

  • Configure your workspace to use either customer-managed keys for managed services or the Store interactive notebook results in customer account feature.

  • Do not use preview features within Databricks to process PHI. However, it is supported to use the preview features listed in Preview features that are supported for processing of PHI data

  • Follow security best practices, such as disable unnecessary egress from the data plane and use the Databricks secrets feature (or other similar functionality) to store access keys that provide access to PHI.

  • Enter into a business associate agreement with AWS to cover all data processed within the VPC where the EC2 instances are deployed.

  • Do not do something within a virtual machine that would be a violation of HIPAA. For example, direct Databricks to send unencrypted PHI to an endpoint.

  • Ensure that all data that may contain PHI is encrypted at rest when you store it in locations that the Databricks platform may interact with. This includes setting the encryption settings on each workspace’s root S3 bucket that you create as part of workspace creation. You are responsible for ensuring the encryption (as well as performing backups) for your root S3 bucket and all other data sources.

  • Ensure that all data that may contain PHI is encrypted in transit between Databricks and any of your data storage locations or external locations you access from a data plane machine. For example, any APIs that you use in a notebook that might connect to external data source must use appropriate encryption on any outgoing connections.

  • Ensure that all data that may contain PHI is encrypted at rest when you store it in locations that the Databricks platform may interact with. This includes setting the encryption settings on each workspace’s root S3 bucket that you create as part of workspace creation.

  • Ensure the encryption (as well as performing backups) for your root S3 bucket and all other data sources.

  • Ensure that all data that may contain PHI is encrypted in transit between Databricks and any of your data storage locations or external locations you access from a data plane machine. For example, any APIs that you use in a notebook that might connect to external data source must use appropriate encryption on any outgoing connections.

Note the following about customer-managed keys: