Ably U.S. HIPAA (Health Insurance Portability and Accountability Act) Statement

We are sometimes asked about our compliance with the U.S. HIPAA (Health Insurance Portability and Accountability Act) Security Rule to ensure appropriate protection of electronic protected health information. Following is further information on that but do contact us if you want further details or want answers to questions not covered here.


Is Ably a ‘covered entity’ which is required to comply with the HIPAA Security Rule?

No. The HIPAA Security Rule operationalizes the protections contained in the HIPAA Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

Covered entities include Health Plans, Health Care Providers and Healthcare Clearinghouses.

Ably is not a Health Plan, nor a Health Care Provider, nor a Clearinghouse as defined by U.S. Department of Health & Human Services:

“Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.  

In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. 

In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information.

Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.”


Is Ably a ‘business associate’ under the terms of the HIPAA Security Rule?

No. A business associate is “a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”

Ably could be a business associate under this definition, however, the security rule further defines business associates as “organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

Whilst Ably may be used by covered entities to transport individually identifiable health information, Ably does not inspect the data it transports. Ably never inspects payloads. We treat them as opaque. Ably is a conduit for data (a ‘dumb pipe’) like the postal service in the physical world. See more details in point 3.


Does Ably transport individually identifiable health information?

As a transport for information Ably does not know the nature of the data we are handling. It is possible for our customers, who may be covered entities under HIPAA, to transport individually identifiable health information. However, Ably cannot inspect that data so there is no access to protected health information and any such access would be incidental, if at all.

Under HIPAA there are no restrictions on the use or disclosure of de-identified health information which neither identifies nor provides a reasonable basis to identify an individual. So where Ably customers, even covered entities, are using Ably only to transport de-identified health information, then HIPAA does not apply.


What level of data encryption does Ably use?

Ably uses TLS 2048 bit encryption for all data in transit. However, customers can elect not to transmit their data over TLS. All data within the same data centre in Ably is moved around unencrypted as it cannot be intercepted, but is always encrypted when moved between data centres.

Ably also offers optional 256-bit AES symmetric encryption which makes it impossible for Ably to inspect any data payloads moving through the system at all, even if we wanted to.


Where is data going through the Ably platform stored?

Data in transit is stored ephemerally (i.e. not on disk) in all 24+ data centres in all regions, see https://support.ably.io/solution/articles/3000029525-where-are-ably-s-servers-located-around-the-world. Each region can have two or more data centres.

Messages are only persisted when history is explicitly enabled, and that data is stored in US East Virginia, Europe Ireland, and Asia Singapore.

Enterprise customers have the option to choose where the data is routed and stored geographically. Find out more about Enterprise packages.


Is Ably prepared to sign a “business associate agreement”?

Under HIPAA, any covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.

As per points 1-3 above Ably is neither a covered entity nor a business associate under the terms of the HIPAA Security Rule.

However, some Ably customers still like us to sign a business associate agreement which requires Ably to comply with specified safeguards.

In most cases, Ably is happy to do this as we have such safeguards in place as a matter of course and most business associate agreements are standard. We also recognize that an Ably customer, if a covered entity, may not contractually authorize Ably to make any use or disclosure of protected health information that would violate the Security Rule.


Ably is willing to sign BAAs for our Enterprise customers. Please contact us if you have a business associate agreement you would like us to sign and we will happily review it.