Health Insurance Portability and Accountability Act (HIPAA)

The Security and Data Breach Notification Rules adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protect the confidentiality and integrity of protected health information (PHI) when held by healthcare providers, insurers, and healthcare clearinghouses (covered entities), as well as companies that provide services to covered entities, known as business associates.

While F5 does not store or process health-related data on behalf of our customers, it is possible that some data we hold could constitute PHI, such as the association between a user with a particular IP address and an F5 customer that is a covered entity. To ensure compliance, we implement security controls that exceed those required by the Security Rule (and our compliance has been assessed by external auditors in our SOC 2 Type 2 Report), we have designated our Chief Information Security Officer as the HIPAA Security Official, and we have executed business associate agreements (BAAs) with our vendors who may hold this data. We also have a standard BAA for contracting with customers that is available upon request.

Applicable Products: F5 Distributed Cloud, Bot Defense, and Silverline

FAQ

F5 is fully committed to complying with the HIPAA standards in the U.S., including the Security Rule, the Privacy Rule, and the Breach Notification Rule. F5’s global privacy strategy and privacy-by-design approach ensures that F5 and its services prioritize the protection of personal data, including Protected Health Information (“PHI”), and uphold the highest standards of data privacy.


Can customers subject to HIPAA (the U.S. Health Insurance Portability & Accountability Act) use F5 services?

Yes. HIPAA-regulated customers can enter into F5’s HIPAA business associate agreement (BAA), which covers all F5 services. F5 implements security safeguards that exceed those required by the HIPAA Security Rule and our compliance has been assessed by external auditors in our SOC 2 Type 2 Report. Refer to https://www.f5.com/company/policies/privacy-notice for more details.