Summary
As organizations transition to the cloud, security and privacy are important considerations for customers. The healthcare industry is particularly concerned with safeguarding protected health information or “PHI” as many healthcare organizations are regulated by the US Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA establishes the security and privacy requirements for storing, transmitting, using, and disclosing PHI. As a result, cloud providers that want to provide services to HIPAA-regulated customers must comply with various HIPAA-related obligations.
Red Hat is pleased to announce that Red Hat is prepared to act as a business associate to service these specific Red Hat Online Service offerings. This enables these HIPAA-qualified services to be used by HIPAA-covered entities who are required to protect PHI, such as healthcare providers, healthcare insurance companies, and organizations associated with HIPAA covered entities. Customers who want to build healthcare applications on those Red Hat online services that are HIPAA qualified should contact your account representative to enter into the Red Hat Business Associate Agreement (BAA).
The following Red Hat Online Services are HIPAA Qualified.
| Service | Note |
|---|---|
| Red Hat OpenShift Dedicated v. 4 | Only Customer Cloud Subscriptions* |
| Red Hat OpenShift Service on AWS (ROSA) v. 4 | |
| Red Hat OpenShift Service on AWS (ROSA) with Hosted Control Planes v. 4 | |
| Red Hat OpenShift Application Programming Interface (API) Manager (RHOAM) v. 1.0 | Only Customer Cloud Subscriptions* |
| Red Hat OpenShift Data Science (RHODS) v. 1 | Only Customer Cloud Subscriptions* |
*These Red Hat HIPAA-Qualified Online Services are limited to “Customer Cloud Subscriptions” which means they are Red Hat Online Services where the customer separately purchases or procures the underlying hosting infrastructure services from a cloud provider.
Built-in compliance capabilities
Red Hat products have built-in capabilities that help you to align with the HIPAA policy. By using integrations with the system management solutions available in our portfolio, you can align the configuration of the machine with the requirements. However, the result is not full compliance - you always need to review the results and take the context of your specific deployment into account.
Red Hat Enterprise Linux
You can install the system already pre-configured to HIPAA by using RHEL image builder:
- RHEL 10: Creating pre-hardened images with RHEL image builder OpenSCAP integration
- RHEL 9: Creating pre-hardened images with RHEL image builder OpenSCAP integration
Note that this is integrated also in the Red Hat Insights, linked below.
If you prefer a kickstart-based installation, the method is described in the RHEL security guide:
- RHEL 10: Performing a hardened installation of RHEL with Kickstart
- RHEL 9: Kickstart-based installation of compliant systems
You can build and deploy hardened bootable images pre-configured to HIPAA for RHEL Image mode:
- RHEL 10: Security hardening and compliance of bootable images
- RHEL 9: Security hardening and compliance of bootable images
You can check the system configuration during runtime by using the OpenSCAP command-line tool:
- RHEL 10: Scanning the system for configuration compliance
- RHEL 9: Scanning the system for configuration compliance and vulnerabilities
- RHEL 8: Scanning the system for configuration compliance and vulnerabilities
- RHEL 7: Scanning the System for Configuration Compliance and Vulnerabilities
Red Hat Satellite
You can plan and configure compliance policies, deploy the policies to hosts, and monitor the compliance of your hosts in Red Hat Satellite. For more information, see the product documentation:
Red Hat Insights for RHEL
You can create and manage your custom security policies entirely within the compliance service UI, as well as monitor the compliance state of your systems, remediate any discrepancies, and use the custom security policies in image builder to deploy additional systems:
Red Hat OpenShift
You can automate the inspection of numerous technical implementations and compare them against certain aspects of industry standards, benchmarks, and baselines.
Products in Scope
- Red Hat OpenShift Dedicated
- Red Hat OpenShift Service on AWS
- Red Hat OpenShift API Management
- Red Hat OpenShift Data Foundation
- Red Hat OpenShift AI
- Red Hat Enterprise Linux
- 8.3
- 8.4
- 8.5
- 8.6
- 8.7
- 8.8
- 8.9
- 8.10
- Red Hat Enterprise Linux
- 9.0
- 9.1
- 9.2
- 9.3
- 9.4
- Red Hat Ansible Automation Platform Service on AWS
Links
Additional Resources
For information about Microsoft Azure Red Hat OpenShift (ARO), please see Azure compliance documentation
Meta Data
Products
Regions
Industries
