HIPAA and the later adoption of the HITECH Act established through the Department of Health and Human Services a set of Privacy and Security Rules governing the handling of Protected Health Information (PHI). Under these rules, “Covered Entities 1” are required to meet certain security and data requirements in order to keep PHI safe. 2 Covered Entities who utilize a third-party entities (such as a Service Provider) who will “create, receive, maintain or transmit” PHI in providing a function, activity, or service on behalf of that Covered Entity are defined as a “Business Associate.” In most cases, any Business Associate must enter into a Business Associate Agreement (BAA) with the Covered Entity.
Security and privacy for our customers is one of the key tenants of our Nutanix Frame Desktop as a Service (DaaS) platform. Our security and compliance team, in coordination with Nutanix Legal, has determined the necessary deployment models, responsibilities, and actions a Covered Entity or Business Associate of Nutanix must follow in order for Nutanix to execute BAAs.
The architectural design requirements for Frame described below are required for Nutanix to enter into a BAA.
A “Covered Entity” is a “Health Care Plan, Health Care Provider, or Healthcare Clearing House”. Please note that Business Associates may also have downstream Business Associates who would need to comply with these requirements, (e.g., AWS as the platform hosting a SaaS application).
Refer to https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html for the definition of protected health information.
Covered Entities may use Frame-supported public cloud platforms or on-premises Nutanix infrastructure. Public cloud Xi Frame deployments must utilize the Bring Your Own (BYO) infrastructure capability.
Covered Entities must leverage the full Private Networking configuration option when deploying Frame. Any ingress into the Frame-managed workload VMs and egress from the workload VMs must be controlled through the customers’ security appliances.
If applicable, Xi Frame deployments may use Enterprise Profiles but may not use Basic Profiles.
Covered Entities must bring their own SAML2-based identity provider (IdP). These entities may not use my.nutanix.com or the Frame (built-in) IdP as identity providers.
User authorization to PHI must be enforced by the Covered Entity’s applications. These entities may not rely on Frame’s Role-based Access Control (RBAC) to determine which users have access to PHI.
Nutanix support access must be disabled at the customer entity level. Nutanix Support personnel will not be able to access any of the accounts, their configurations, activity logs/reports, virtualized desktops/applications, or data within the Covered Entity’s Frame-managed infrastructure.
Application icons and background images may not contain any protected health information.
Covered Entities may not use the Persistent Desktop feature or Frame Utility Servers to store PHI.
Note on ePHI Data Storage and Processing
Covered Entities may not store or process ePHI on Nutanix-owned/hosted infrastructure.
As with all cloud services, there is a shared responsibility between cloud service providers and end customers. The responsibilities of customers (Covered Entities) to support HIPAA requirements include the following:
The Customer is responsible for policy controls and HIPAA compliance of their environment and workloads.
As mentioned in the section above, customers must utilize Xi Frame’s Bring Your Own (BYO) infrastructure capabilities with either:
On-premises Nutanix AHV infrastructure or
A public IaaS provider cloud account (and enter into a Business Associate Agreement with their IaaS provider)
DaaS workloads and supporting network infrastructure must be monitored.
Customers are responsible for their own DaaS workload configuration and security.
Security and monitoring of their own IaaS provider configurations.
Customers must implement authentication and authorization prior to enabling user access to HIPAA data/PHI.
Must configure Frame workloads and supporting infrastructure to meet availability requirements.
Customers are responsible for implementing all technical and administrative controls necessary to govern access to ePHI data.
Must ensure audit logs for ePHI access are collected and retained.
Customers must restrict cloud credentials provided to Nutanix to ensure Nutanix does not have access to ePHI data.
Customers are responsible for entering into a Business Associate Agreement (BAA) with Nutanix.
Nutanix will only enter BAAs scoped to our cloud service and supporting infrastructure. The scope of these Business Associate Agreements will not include the customer DaaS workload environments. Covered Entities are responsible for independently entering into a BAA with their cloud or data center service providers that host their DaaS workloads. Please reference the links below for more information about BAAs with currently supported cloud providers: