HIPAA compliance features
Preview
The ability for admins to add Enhanced Security and Compliance features is a feature in Public Preview. The compliance security profile and support for compliance standards are generally available (GA).
HIPAA compliance features requires enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled.
To use the compliance security profile, your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.
Important
If you add HIPAA when enabling the compliance security profile, before you process PHI data it is your responsibility to have a BAA agreement with Databricks.
This feature requires your workspace to be on the Enterprise pricing tier.
Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.
Which compute resources get enhanced security
The compliance security profile enhancements for HIPAA apply to compute resources in the classic compute plane and the serverless compute plane in all regions. See Compliance security profile compliance standards with serverless compute availability. For more information on the classic and serverless compute planes, see Databricks architecture overview.
HIPAA overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH), and the regulations issued under HIPAA are a set of US healthcare laws. Among other provisions, these laws establish requirements for the use, disclosure, and safeguarding of protected health information (PHI).
HIPAA applies to covered entities and business associates that create, receive, maintain, transmit, or access PHI. When a covered entity or business associate engages the services of a cloud service provider (CSP), such as Databricks, the CSP becomes a business associate under HIPAA.
HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates will protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.
Does Databricks permit the processing of PHI data on Databricks?
Yes, if you enable the compliance security profile and add the HIPAA compliance standard as part of the compliance security profile configuration. Contact your Databricks account team for more information. It is your responsibility before you process PHI data to have a BAA agreement with Databricks.
Enable HIPAA on a workspace
To configure your workspace to support processing of data regulated by the HIPAA compliance standard, the workspace must have the compliance security profile enabled. You can enable it and add the HIPAA compliance standard across all workspaces or only on some workspaces.
To enable the compliance security profile and add the HIPAA compliance standard for an existing workspace, see Enable enhanced security and compliance features on an existing workspace.
To set an account-level setting to enable the compliance security profile and HIPAA for new workspaces, see Set account-level defaults for all new workspaces.
Important
Adding a compliance standard on a workspace is permanent.
If you add HIPAA when enabling the compliance security profile, it is your responsibility before you process PHI data to have a BAA agreement with Databricks.
Important
You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in Databricks online documentation does not constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.
Databricks does not support the use of preview features for the processing of PHI on the HIPAA on AWS platform, with the exception of the features listed in Preview features that are supported for processing of PHI data.
Preview features that are supported for processing of PHI data
The following preview features are supported for processing of PHI:
Workspace-level SCIM provisioning
Workspace-level SCIM provisioning is legacy. Databricks recommends using account-level SCIM provisioning, which is generally available.
Delta Live Tables Hive metastore to Unity Catalog clone API
-
Credential passthrough is deprecated starting with Databricks Runtime 15.0 and will be removed in future Databricks Runtime versions. Databricks recommends that you upgrade to Unity Catalog. Unity Catalog simplifies security and governance of your data by providing a central place to administer and audit data access across multiple workspaces in your account. See What is Unity Catalog?.