Enterprises must continue to improve their security posture to meet strict compliance requirements and protect their businesses. Oracle Cloud Infrastructure is continuing to invest in services that help our customers more easily meet their security and compliance needs.
We recently announced ISO/IEC 27001:2013 certification, Service Organization Controls (SOC) 1 Type 2, SOC 2 Type 2 and SOC 3 attestations and Payment Card Industry Data Security Standard (PCI DSS) Attestation of Compliance covering Oracle Cloud Infrastructure services.
Now we are pleased to announce that for the period of November 1, 2017 through March 31, 2018, Oracle has received an attestation performed in accordance with American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) 18, AT-C sections 105 and 205, covering controls aligned with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Breach Notification Rule, and the applicable parts of the Privacy Rule.
The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI). The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (for example, health plans, health care clearinghouses, and certain health care providers); however, parts may be applicable to business associates.
Oracle Cloud Infrastructure is categorized as a “no-view cloud service provider” and can support customers who are in scope for HIPAA by entering into a Business Associate Agreement (BAA). The BAA is required for identifying and establishing the respective responsibilities of Oracle Cloud Infrastructure and the customer for appropriately safeguarding PHI in accordance with HIPAA and any amending legislation.
Performed by Ernst & Young LLP, our HIPAA attestation provides reasonable assurance that Oracle Cloud Infrastructure has designed and implemented administrative, physical, and technical safeguards relevant to the HIPAA Security Rule, Breach Notification Rule, and the applicable parts of the Privacy Rule.
Oracle Cloud Infrastructure services covered in our HIPAA attestation include Compute, Networking, Load Balancing, Block Volume, Object Storage, Archive Storage, File Storage, Data Transfer, Database, Exadata, FastConnect, and Governance.
The development, deployment, configuration, and management of underlying services, infrastructure, and systems are the responsibility of Oracle Cloud Infrastructure. Customers are responsible for maintaining and managing their HIPAA compliance with respect to applications and workloads that they use on Oracle Cloud Infrastructure. For details about Oracle Cloud Infrastructure security capabilities, see the Oracle Cloud Infrastructure Security white paper and other security and compliance resources.