< Compliance
CenturyLink IaaS meets HIPAA compliance requirements


Leverage CenturyLink's extensive experience with secure HIPAA-compliant hosting to meet the most demanding business requirements.

U.S. Health Insurance Portability and Accountability Act (HIPAA) is a US regulation dealing with the protection of individually identifiable health information better known as PHI (Protected Health Information). It applies to any document or record, both paper and electronic, which can identify protected health information of an individual. One of the main goals is to prevent harm to an individual as a result of any medical or mental health condition.

There is no official federal certification required to prove an organization is HIPAA compliant. Covered Entities and Business Associates can self-certify their compliance, which means certifying they comply with HIPAA regulations. CenturyLink has gone one step further and used an external auditor to perform a Type 1 (point in time) evaluation of our HIPAA compliance. The assessment was performed against the HIPAA Security Rules and Breach Notification requirements using the Attestation Engagement rules AT-101.

The report covers CenturyLink process and services used to support our customer environments, but does not look at specific customer environments. The customer still retains full responsibility for meeting their requirements under HIPAA. Administrative (risk management, security policies, training, Business Associates, etc.), Physical (data centers security, media handling, etc.), Technical (access administration) and Breach Notification Controls (security incident management) were reviewed by our auditors.

The report provides an assessment of processes and services and how they meet those HIPAA Security Rules and Breach Notification requirements. If those services are purchased by a customer, this report can help in their own self-certification. The report does not specifically assess specific products (cloud, specific applications, etc.)


HIPAA mandates data center providers storing electronic Protected Health Information (ePHI) sign a Business Associate Agreement (BAA). These agreements allow anyone with ePHI to use CenturyLink capabilities to meet their ePHI storage requirements.

CenturyLink has 56 data centers across the US offering HIPAA-enabled colocation and managed services to all healthcare and healthcare-related organizations. CenturyLink’s data centers meet multiple security standards (ISO 27001, PCI, SOC) in addition to HIPAA, ensuring maximum focus on securing customer ePHI.

The CenturyLink's portfolio of services offers customers the flexibility to incorporate technologies that meet different business needs. The needs of one customer can be as varied as colocation for hosting servers and applications in HIPAA-enabled data centers, managed services to offload day-to-day operations to a market-leading partner and an award-winning enterprise cloud for efficiency and cost savings. Customers can link between these three services to ensure their overall operation runs in a compliant, stress-free, secure IT environment.

Organizations who are required to comply with the HIPAA can leverage CenturyLink to process, maintain and store individually-identifiable health information or PHI. With the required controls in place in the customer environment (data encryption, access restrictions, etc.), CenturyLink will sign a Business Associate Agreement (BAA) that can be leveraged as part of the customer’s overall compliance program.

Benefits to signing a BAA:

  1. Assures the business associate will appropriately safeguard the PHI it receives or creates on behalf of the covered entity.
  2. Mandates that the satisfactory assurances are in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Understanding Health Information Privacy

CenturyLink has extensive experience with HIPAA compliance, and we're happy to help you navigate the waters to deliver a solution that meets your specific business objectives.

The HIPAA Privacy Rule provides federal protections for individually-identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule does permit the disclosure of health information needed for patient care and other important purposes.

The HIPAA Security Rule specifies a series of administrative, physical and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity and availability of electronic protected health information (ePHI).

The HIPAA Rules apply to covered entities and business associates. Individuals, organizations and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information, and must also provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written BAA or other arrangement with the business associate. The arrangement or agreement establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of PHI. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See the complete definitions of “business associate” and “covered entity” at 45 CFR 160.103.

Frequently Asked Questions

What is a Covered Entity?

Healthcare Provider

This includes the following if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
Healthcare Plan

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
Healthcare Clearinghouse

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

What is a Business Associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.  

Which CenturyLink Data Center locations offer HIPAA Compliance?

View the data center locations with HIPAA compliance.

  • Albuquerque, NM (AB3)
  • Atlanta, GA (AT1)
  • Bangalore, India (BLR2)
  • Boston, MA (B01, B02, B03)
  • Burbank, CA (BR1)
  • Chicago, IL (CH2, CH3, CH4)
  • Columbus, OH (CL1)
  • Dallas, TX (DL 1, DL2)
  • Denver, CO (DN1, DN2, DN3)
  • Frankfurt, Germany (FR6)
  • Hong Kong (HK2)
  • Jersey City, NJ (NJ1)
  • London, United Kingdom (L01, L03, L04, L05, L06)
  • Los Angeles, CA (LA1)
  • Minneapolis, MN (MP1, MP2)
  • Montreal, Canada (MR1)
  • Newark, NJ (NJ5)
  • Orange County, CA (OC2)
  • Piscataway, NJ (NJ3, NJ4)
  • Santa Clara, CA (SC4, SC5, SC8, SC9)
  • Seattle, WA (SE2, SE3, SE4)
  • Singapore (SG2, SG8)
  • St. Louis, MO (SL1)
  • Sterling, VA (DC2, DC3, DC4, DC5, DC6, DC7)
  • Sunnyvale, CA (SN 1, SN2)
  • Tampa, FL (TP1)
  • Tokyo, Japan (TY6)
  • Toronto, Canada (TR1)
  • Vancouver, Canada (VC1)
  • Weehauken, NJ (NJ2)
In Scope Colocation Data Centers

These colocation data centers are certified for HITRUST compliance:

United States

  • Albuquerque (ABQ1)
  • Atlanta (ATL1)
  • Boston (BOS1, BO2, BO3)
  • Chicago (ORD1, ORD2)
  • Columbus (CMH1)
  • Dallas (DFW1, DL1, DL2)
  • Denver (DEN1, DEN2)
  • Los Angeles (LAX1, LAX2, LAx3)
  • Minneapolis (MSP1)
  • Moses Lake (MSP1)
  • New York/New Jersey (EWR1, EWR2, EWR3, EWR4)
  • Saint Louis (STL1)
  • San Francisco (SFO1, SFO2, SFO3)
  • Seattle (SEA1, SEA2)
  • Tampa (TPA1)

View a map of HIPAA compliant data center locations.

View a Dedicated Cloud Compute architecture for HIPAA compliance.

Related Products

Cloud Servers

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.