Altaro VM Backup, Altaro VM Backup for MSPs and Altaro Physical Server Backup are exempt from any HIPAA BAA obligations. 

 

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, requires HIPAA-covered entitles to hold BAAs, or business associate agreements, to cover the security of their data assets. However, no BAA is required for transmission-only services for electronic protected health information (ePHI).

 

Altaro VM Backup and Altaro Physical Server Backup is a transmission-only service, as it only acts as a “conduit” to ePHI sensitive data. Any ePHI data is stored on customer-defined storage and is never stored on Altaro VM Backup.

 

If a customer opts to use Altaro Offsite Server Backup, the backup data is transmitted over a secure channel to Altaro Offsite Server Backup and ePHI data is then stored on customer-defined storage. If customers opt to hold their offsite backup copies to Azure Blob storage, Amazon S3 Bucket or Wasabi, these vendors protect the customer ePHI data. More information on these vendor’s protection can be found at the links below.

 

If Altaro VM Backup or Altaro Physical Server Backup is connected to the Altaro Cloud Management Console, no ePHI backup data is received or stored on Altaro Cloud Management Console.

 

As a result, Altaro VM Backup, Altaro VM Backup for MSPs and Altaro Physical Server Backup are exempt from any BAA obligations. Altaro strongly suggest that customers enable encryption on their backup data to protect sensitive data. More details on how encryption can be enabled can be found here for Altaro VM Backup and Altaro Physical Server Backup.

 

Additional details on HIPAA Compliance and conduit exception to transmission-only services for ePHI data can be found here.

 

Azure Blob Storage HIPAA Compliance – more details on Microsoft Azure compliance can be found here while Microsoft HIPAA BAA for Azure services can be found here.

 

Amazon S3 Bucket HIPAA Compliance – more details can be found here.

 

Wasabi Hot Cloud Storage HIPAA compliance – more details can be found here.