Share via


HIPAA

This page describes HIPAA compliance controls in Azure Databricks.

HIPAA overview

HIPAA is a US healthcare law that establishes national standards for protecting the privacy and security of protected health information (PHI).

Key points:

  • Applies to healthcare providers, insurers, and vendors that handle PHI.
  • Includes rules for privacy, security, and breach notification.
  • Requires administrative, technical, and physical safeguards for PHI.
  • Applies to cloud service providers that store or process PHI.

Enable HIPAA compliance controls

Databricks strongly recommends that customers who want to use HIPAA compliance control enable the compliance security profile, which adds monitoring agents, provides a hardened compute image, and other features. Only specific preview features are supported for processing regulated data. For details on the compliance security profile and supported preview features, see Compliance security profile.

To enable HIPAA compliance controls, see Configure enhanced security and compliance settings.

Shared responsibility of HIPAA compliance

Complying with HIPAA has three major areas, with different responsibilities. While each party has numerous responsibilities, below we enumerate key responsibilities of Databricks, along with your responsibilities.

This section use the terminology control plane and compute plane, which are two main parts of Azure Databricks architecture:

  • The Azure Databricks control plane includes the backend services that Azure Databricks manages in its own Azure account.
  • The compute plane is where your data lake is processed. The classic compute plane includes a VNet in your Azure account, and clusters of compute resources to process your notebooks, jobs, and pro or classic SQL warehouses.

For more information, see Azure Databricks architecture overview.

Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, tags, and job names.

Important

  • You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in Azure Databricks online documentation does not constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.
  • Azure Databricks does not support the use of preview features for the processing of PHI on the HIPAA on Azure platform, with the exception of the features listed in Supported preview features.

Key responsibilities of Microsoft include:

  • Perform its obligations as a business associate under your BAA with Microsoft.

  • Provide you VMs under your contract with Microsoft that support HIPAA compliance.

  • Delete encryption keys and data when Azure Databricks releases the VM instances.

Key responsibilities of Azure Databricks include:

  • Encrypt in-transit PHI data sent to or from the control plane.
  • Encrypt PHI data at rest in the control plane.
  • Use only instance types that are supported using the compliance security profile. Azure Databricks enforces this in both the workspace and API.
  • Deprovision VM instances when you indicate in Azure Databricks (for example, through auto-termination or manual termination) so Azure can wipe them.

Key responsibilities of yours:

  • Configure your workspace to use either customer-managed keys for managed services or the Store interactive notebook results in customer account feature.
  • Do not use preview features in Azure Databricks to process PHI, except those listed in Supported preview features.
  • Follow security best practices, such as disabling unnecessary egress from the compute plane and using Azure Databricks secrets to store access keys for PHI.
  • Enter into a business associate agreement with Microsoft to cover all data processed within the VNet where VM instances are deployed.
  • Do not perform actions within a virtual machine that would violate HIPAA. For example, do not direct Azure Databricks to send unencrypted PHI to an endpoint.
  • Ensure all data that may contain PHI is encrypted at rest in any storage location the Azure Databricks platform interacts with. This includes setting encryption on workspace storage accounts during workspace creation. You are responsible for encryption and backups of this storage and all other data sources.
  • Ensure all data that may contain PHI is encrypted in transit between Azure Databricks and any connected data storage or external systems. For example, APIs used in notebooks must use encryption for all outbound connections.