HIPAA is a 1996 U.S. law that required the codification and enactment of federal-level privacy rules and regulations concerning consumers' personal health information (PHI). Pursuant to HIPAA’s mandate, the U.S. Department of Health and Human Services (HHS) created national standards for safeguarding PHI in 2002, and these took effect in 2003.
Compliance with these standards must be achieved not only by “covered entities” like physicians, hospitals, private health insurance companies, and health care clearinghouses, but also by vendors—including software providers, cloud service providers, cloud platforms, document storage companies, etc.—which provide support to covered entities and health plans, and whose services involve the use or disclosure of PHI.
HHS does not mandate, endorse, or recognize HIPAA accreditations—or certify any products or services as “HIPAA compliant.” But entities subject to HIPAA rules can harness the power of CARTO via customer-managed deployments on Google Cloud Platform, AWS, or Azure, which each support HIPAA compliance within the scope of a Business Associate Agreement (BAA).
The Federal Risk and Authorization Management Program (“FedRAMP”) furnishes the U.S. federal government with a risk-based, standardized approach to security assessments, allowing U.S. government entities to adopt and use those cloud services which meet the requirements of its common security framework.
While CARTO itself is not FedRAMP-authorized, the three major cloud platforms—AWS, Azure, and GCP—on which the CARTO Platform can be deployed have each achieved FedRAMP authorization, allowing our customers to purchase subscriptions to SaaS or customer-managed deployments on Google Cloud Platform, or customer-managed deployment options on AWS or Azure.
CARTO’s SaaS offering is deployed on a GCP cloud region which has received both FedRAMP “High” provisional authority to operate (P-ATO), as well as “Moderate” (P-ATO).