VM Backup, VM Backup for MSPs and Physical Server Backup are exempt from any HIPAA BAA obligations. 

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, requires HIPAA-covered entitles to hold BAAs, or business associate agreements, to cover the security of their data assets. However, no BAA is required for transmission-only services for electronic protected health information (ePHI).

VM Backup and Physical Server Backup is a transmission-only service, as it only acts as a “conduit” to ePHI sensitive data. Any ePHI data is stored on customer-defined storage and is never stored on VM Backup.

If a customer opts to use Offsite Backup Server, the backup data is transmitted over a secure channel to Offsite Backup Server and ePHI data is then stored on customer-defined storage. If customers opt to hold their offsite backup copies to Azure Blob storage, Amazon S3 Bucket or Wasabi, these vendors protect the customer ePHI data. More information on these vendor’s protection can be found at the links below.

If VM Backup or Physical Server Backup is connected to the Cloud Management Console, no ePHI backup data is received or stored on Cloud Management Console.

As a result, VM Backup, VM Backup for MSPs and Physical Server Backup are exempt from any BAA obligations. It is strongly suggested that customers enable encryption on their backup data to protect sensitive data. More details on how encryption can be enabled can be found here for VM Backup and Physical Server Backup.

Additional details on HIPAA Compliance and conduit exception to transmission-only services for ePHI data can be found here.

Azure Blob Storage HIPAA Compliance – more details on Microsoft Azure compliance can be found here while Microsoft HIPAA BAA for Azure services can be found here.

Amazon S3 Bucket HIPAA Compliance – more details can be found here.

Wasabi Hot Cloud Storage HIPAA compliance – more details can be found here.