Is Databricks HIPAA Compliant? Yes—with a BAA and Proper Configuration

HIPAA Compliance Overview

HIPAA governs how protected health information (PHI) is created, received, used, and maintained. It does not “certify” products; instead, it requires covered entities and business associates to implement administrative, physical, and technical safeguards appropriate to their risk.

Databricks can support HIPAA-regulated workloads when you execute a Business Associate Agreement (BAA) and configure your environment to enforce required controls. Compliance is a shared responsibility: Databricks secures the platform, while you configure and operate it in a way that protects PHI.

The practical takeaway: with a signed BAA and the right guardrails—especially the compliance security profile, encryption in transit and at rest, network isolation, access governance, and monitoring—you can use Databricks for PHI responsibly.

Databricks' HIPAA Compliance Features

Databricks includes platform capabilities that help you meet HIPAA’s technical safeguard expectations while you manage risk and operational processes.

• Encryption in transit and encryption at rest: Data paths use TLS for transport, and persistent and ephemeral storage are encrypted. You can strengthen control by enabling customer-managed keys.
• Customer-managed keys (CMK): Use your cloud KMS to manage keys for storage and platform-managed metadata so you can rotate, revoke, and audit key usage.
• Network isolation: Deploy workspaces without public exposure, restrict egress, and use private connectivity to the control plane and data services. IP access lists further reduce attack surface.
• Access governance: Enforce least privilege with role-based access, service principals for automation, short-lived tokens, and policy-driven compute configurations.
• Audit logging: Stream detailed administrative and data access events to your cloud storage for monitoring, investigations, and compliance evidence.
• Secrets management: Store credentials in secret scopes and reference them at run time to prevent PHI or passwords from landing in notebooks or logs.
• Compute isolation controls: Apply cluster policies to standardize instance types, ephemeral storage, library sources, and outbound connectivity.

Compliance Security Profile Details

The compliance security profile is a hardened workspace posture designed for regulated workloads. When enabled, it applies opinionated guardrails and safer defaults so PHI stays protected even as teams collaborate at scale.

• Secure-by-default settings: Strong encryption defaults, tighter token lifetimes, and safer logging behaviors reduce the chance of accidental PHI exposure.
• Restricted features and APIs: High-risk capabilities are limited or disabled to prevent data exfiltration and misuse of credentials.
• Stronger logging and redaction: Sensitive values are redacted in logs, and additional events are captured to improve traceability.
• Policy enforcement for compute: Cluster policies can require approved images, restrict libraries and init scripts, and standardize node settings.
• Network hardening expectations: Workspaces are designed to pair with private networking patterns, minimizing public ingress and uncontrolled egress.

These guardrails do not replace your obligations; they reduce configuration error and help you demonstrate that controls operate consistently over time.

Customer Responsibilities for HIPAA

Your organization remains responsible for how PHI is ingested, transformed, accessed, and retained. Focus on these essentials:

• Contracts first: Execute a BAA with Databricks and your cloud provider before loading PHI.
• Scoped environments: Use dedicated HIPAA workspaces, enable the compliance security profile, and segment networks to isolate PHI.
• Key management: Turn on encryption at rest with customer-managed keys and document key rotation, access, and revocation procedures.
• Identity and access: Integrate SSO, require MFA at your IdP, apply least-privilege roles, and use service principals for automation.
• Network controls: Eliminate public access, use private endpoints, restrict outbound egress, and enforce IP access lists.
• Data lifecycle: Classify data, minimize PHI, de-identify where possible, define retention, and control exports to prevent PHI leaving secure boundaries.
• Monitoring and response: Centralize audit logs, alert on anomalous activity, test incident response, and maintain evidence.
• Operational discipline: Keep PHI out of notebooks and logs, gate third-party integrations, and review preview features for eligibility before use.

Databricks' Security Obligations

Databricks operates and secures the service platform, implements robust software and infrastructure controls, and provides commitments under the BAA. In practice, this includes:

• Platform and infrastructure security: Hardened control plane operations, vulnerability management, and timely patching.
• Encryption services: Built-in encryption in transit and at rest, with options to integrate your customer-managed keys.
• Reliability and resilience: Backups and recovery procedures that protect availability and integrity of platform-managed data.
• Logging and transparency: Comprehensive administrative and security event logging to support your monitoring and audits.
• Contractual commitments: Security safeguards, breach notification processes, and flow-down obligations to subprocessors under the BAA.

Business Associate Agreement Requirements

A Business Associate Agreement (BAA) with Databricks is required before processing PHI on the platform. The BAA defines permitted uses and disclosures, required safeguards, breach notification timelines, and subcontractor obligations.

• Execute the BAA with Databricks and ensure you also have a BAA (or equivalent) with your cloud provider.
• Map your PHI data flows, designate HIPAA workspaces, and document which teams and integrations may access PHI.
• Enable the compliance security profile, configure customer-managed keys, and turn on audit logging as part of your go-live checklist.
• Set procedures for minimum necessary access, data subject requests, retention and destruction, and incident response.

Supported Preview Features and Regional Support

Preview features may be limited or ineligible for HIPAA workloads. Under the compliance security profile, certain previews can be disabled until they become generally available and explicitly supported for PHI. Validate feature eligibility before enabling any preview in HIPAA workspaces.

Regional support depends on your cloud provider. Deploy workspaces in HIPAA-eligible regions, avoid cross-region data movement that violates data residency requirements, and ensure private connectivity is available in the chosen region.

On AWS, consider AWS Nitro instance types for enhanced hardware isolation and memory protection. Pair that with encryption in transit and at rest—ideally with customer-managed keys—to align with a defense-in-depth approach for PHI.

Bottom line: Databricks can support HIPAA when you combine a signed BAA with the compliance security profile, strong encryption, private networking, tight access governance, and continuous monitoring.

FAQs

What is required to make Databricks HIPAA compliant?

Sign a Business Associate Agreement (BAA), enable the compliance security profile on dedicated HIPAA workspaces, enforce encryption in transit and encryption at rest with customer-managed keys, restrict networks to private connectivity, centralize audit logs, and operate with least-privilege access and strong monitoring. Validate features you enable—especially previews—and keep PHI out of logs and exports.

How does the compliance security profile enhance security?

It applies guardrails and safer defaults for regulated data: tighter authentication and token settings, stronger logging with redaction, restricted high-risk features and APIs, and policy enforcement for compute and networking. These controls reduce configuration errors and help you demonstrate consistent security for PHI.

What responsibilities do customers have under HIPAA on Databricks?

You must govern how PHI is collected, stored, accessed, shared, and retained. That includes contracts (BAAs), data classification and minimization, identity and access controls, customer-managed keys, private networking, monitoring and incident response, change control, and vendor risk management for any integrations touching PHI.

Does Databricks provide a BAA for HIPAA compliance?

Yes. Databricks offers a Business Associate Agreement to eligible customers. You also need a BAA (or equivalent) with your cloud provider. Remember, a BAA enables HIPAA use but does not by itself ensure compliance—you must configure and operate your environment according to HIPAA’s safeguards.