Citrix offers HIPAA-compliant configurations for certain products and services and Business Associate Agreements for those customers who need to store or process protected health information in the cloud. Our products and services help protect your data with strong security controls. Citrix undergoes an annual independent assessment evaluating our services and controls under the HIPAA Security, Privacy, and Breach Notification rules.
Citrix helps support the customer’s HIPAA compliance, but using Citrix services does not achieve HIPAA compliance on its own. Customers are responsible for ensuring they have an adequate compliance program and internal processes and controls in place to achieve and maintain HIPAA compliance.
To get started please review all the documentation below. The customer must follow the configuration instructions in Citrix’s documentation to ensure Protected Health Information (PHI) is properly secured. Citrix Cloud services are not HIPAA compliant in all configurations, and the customer is solely responsible for configuring the product and their overall environment and processes to ensure HIPAA compliance.
The Health Insurance Portability Accountability Act of 1996 (HIPAA) is a U.S. law with the objective of providing privacy standards designed to protect patients’ medical records and specified health information provided to health plans, doctors, hospitals, and other healthcare providers. Businesses subject to HIPAA regulations are known as covered entities.
At a high level, HIPAA breaks into the following categories:
These categories break into the following subcategories:
Under HIPAA regulations, any organization that is hired by a covered entity to handle, use, distribute, or access PHI, is considered a business associate. Covered entities must enter into a Business Associate Agreement with each business associate to ensure PHI is protected. A BAA limits how the business associate can handle PHI, ensures the business associate will comply with the various HIPAA requirements, and sets forth breach reporting and response obligations.
When you use one of Citrix’s services to handle or store PHI, Citrix is acting as a business associate. You must accept the Citrix BAA within the service before you may use PHI with the service. See the HIPAA documentation for details on how to find and accept the BAA.