Citrix and HIPAA Compliance

Citrix supports your HIPAA compliance

Citrix offers HIPAA-compliant configurations for certain products and services and Business Associate Agreements for those customers who need to store or process protected health information in the cloud. Our products and services help protect your data with strong security controls. Citrix undergoes an annual independent assessment evaluating our services and controls under the HIPAA Security, Privacy, and Breach Notification rules.

Citrix helps support the customer’s HIPAA compliance, but using Citrix services does not achieve HIPAA compliance on its own. Customers are responsible for ensuring they have an adequate compliance program and internal processes and controls in place to achieve and maintain HIPAA compliance.

Citrix certifications and documentation

To get started please review all the documentation below. The customer must follow the configuration instructions in Citrix’s documentation to ensure Protected Health Information (PHI) is properly secured. Citrix cloud services are not HIPAA compliant in all configurations, and the customer is solely responsible for configuring the product and their overall environment and processes to ensure HIPAA compliance.

  • See what services are available in HIPAA compliant configurations.
  • See our documentation on how to configure our services for HIPAA compliance.
  • View our certifications from Avertium.

What is HIPAA?

The Health Insurance Portability Accountability Act of 1996 (HIPAA) is a U.S. law with the objective of providing privacy standards designed to protect patients’ medical records and specified health information provided to health plans, doctors, hospitals, and other healthcare providers. Businesses subject to HIPAA regulations are known as covered entities.

At a high level, HIPAA breaks into the following categories:

  • HIPAA Privacy Rule, which creates a minimum standard for the protection of health information and privacy rights for all in the U.S. 
  • HIPAA Security Rule, which establishes physical, technical, and administrative safeguards for electronic transactions of electronic PHI and links closely to the Privacy Rule. 
  • Transaction and code sets standards, which are designed to achieve administrative simplification on a national scale.

These categories break into the following subcategories:

  • Technical safeguards, which include access control, audit controls, integrity controls, and transmission security. 
  • Physical safeguards, which include facility access and control, as well as physical workstation and device security. 
  • Administrative safeguards, which include security management processes, security personnel, information access management, training, and assessment. 
  • Organizational policies/procedures and documentation requirements, which include covered entity responsibilities, business associate contracts, and policy/procedure and documentation requirements and updates.

Business Associate Agreements (BAAs)

Under HIPAA regulations, any organization that is hired by a covered entity to handle, use, distribute, or access PHI, is considered a business associate. Covered entities must enter into a Business Associate Agreement with each business associate to ensure PHI is protected. A BAA limits how the business associate can handle PHI, ensures the business associate will comply with the various HIPAA requirements, and sets forth breach reporting and response obligations.

When you use one of Citrix’s services to handle or store PHI, Citrix is acting as a business associate. You must accept the Citrix BAA within the service before you may use PHI with the service. See the HIPAA documentation for details on how to find and accept the BAA.