HIPAA Compliance and Synology C2

Learn how Synology C2's secure infrastructure and privacy-focused design helps clients comply with HIPAA regulations.

A shared responsibilitySynology C2 platform is designed to ensure maximum security, confidentiality, and integrity for clients’ data, including protected health information in electronic form (ePHI). Healthcare operators can easily integrate C2’s data protection and auditing features into their HIPAA compliance strategy.Security and privacyPlatform-wide and service-specific tools and settings to restrict ePHI access to authorized personnel.Integrity and availabilitySecure infrastructure design to minimize data loss and corruption risks and boost service availability.
Preventing unauthorized accessSynology C2 can be configured as a no-view service without reading access, eliminating the risk of uploaded patient data leaking into the wrong hands.Each service in the Synology C2 ecosystem has one or more data protection mechanisms in place, such as end-to-end encryption, client-side encryption, or a combination of measures.To learn more about how C2 services ensure complete ownership and control of ePHI, refer to the dedicated white paper for each service.
Regulating and auditing accessThoughtfully designed features enable close control over who has access to health data, both within the organization and while interacting with external parties.Secure platform accessAccess to all C2 services requires a valid Synology Account, which can be configured for maximum security with multi-factor authentication (MFA). Detailed login records simplify investigation when abnormal account activities occur.Granular sharing settingsLimiting the circulation of ePHI helps reduce risks to data privacy. C2 offers tools such as password protection and expiration dates for share links, and C2 Transfer, designed for file transfers, requires user verification through one-time passwords.Audit logging and reportsDetailed logs empower admins to investigate user actions including accessing, transferring, or downloading patient data. Reports generated on demand or sent periodically by email facilitate monitoring and evaluation.
Dependable infrastructure you can trustAll C2 data is stored in certified colocation data centers where single points of failure are eliminated through redundant, highly available infrastructure.Physical safetyISO 27001 and SOC 2 Type II certifications guarantee strict compliance with security procedures and physical safety measures, as well as monitoring of site access by staff.Redundancy safeguardsErasure coding technology helps maximize data redundancy while enabling detection and repair of corrupted data, isolating data from the threat of hardware failure.Data ownershipWith data centers located in Europe and the US, Synology C2 allows clients to comply with local regulations, such as US and EU data residency requirements.Learn more about security and privacy at SynologyData durability blog postTake a deep dive into the topic of data durability, with a technical overview and real-world examples from our infrastructure.Read morePrivacy StatementSee how we handle and process users’ personal information, including what data we collect and how long we retain it.Learn moreSynology C2 Terms of ServiceRead the terms and conditions that govern use of the Synology C2 platform and individual C2 services.Learn moreData security white papersLearn in detail how Synology C2 solutions keep data safe from unauthorized access, ensuring total control over ePHI and other sensitive data.C2 StorageC2 IdentityC2 PasswordC2 TransferC2 Backup Frequently Asked Questions What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was introduced by US Congress in 1996 to set regulatory standards for the lawful use and disclosure of electronic protected health information (ePHI). Under HIPAA regulations, healthcare providers and businesses are expected to meet a set of requirements aimed at ensuring the privacy and security of any ePHI that is created, managed, received, or transmitted. What are the HIPAA rules? HIPAA legislation consists of five rules. Each rule lays out different requirements for HIPAA compliance:

1. Privacy Rule: How, when, and under what circumstances ePHI can be used and disclosed

2. Security Rule: Technical, physical, and administrative standards to safeguard the integrity of ePHI

3. Omnibus Rule: Integration of HITECH’s provisions into HIPAA to strengthen protection of ePHI

4. Breach Notification Rule: Terms and conditions for the notification of data breaches involving ePHI to interested parties and the public

5. Enforcement Rule: Investigation and penalties applied following a data breach involving ePHI

Over the years, the requirements have been integrated and expanded in response to technological advancements in healthcare and other industries.

 What is a no-view service? The term “no-view service” describes the situation in which the Cloud Service Provider (CSP) maintains encrypted ePHI on behalf of a Covered Entity or Business Associate without having access to the decryption key. What is erasure coding? Similar to RAID, erasure coding stripes data into large number of pieces, introducing a redundancy of at least three pieces (meaning that up to three servers can fail without affecting data availability). However, with erasure coding, users need not wait for recovery (which is instant). Erasure coding also helps with detecting and repairing corrupted data. What third-party compliance requirements does Synology C2 meet? Synology C2's Europe (Frankfurt am Main) and APAC (Taipei) colocation data center facilities are certified up to the ISO 27001 standard, one of the strictest available security frameworks for information technology. Synology C2's US colocation data center facilities have achieved comprehensive SOC 2 Type II certification, confirming there are strict procedures in place to keep user data secure. Synology handles payment details in compliance with PCI DSS by processing and storing billing information with a PCI Level 1 Service Provider. Does Synology C2 offer Business Associate Agreements (BAA)? Yes. BAAs are currently available for C2 Object Storage, C2 Storage, C2 Backup, C2 Transfer, and C2 Password. Requests can be filed here. A representative will contact you to confirm the details and supply a digital copy of the agreement for you to sign.

Sign up for the C2 newsletter

Register now to get the latest updates about C2 services, technical insights, activities, and events.

A Synology Account is required to join our mailing list. You can manage newsletter preferences with your Synology Account. infoTo ensure you receive our newsletter, we will create a Synology Account for you using the email address provided.
Notes: The US Department of Health and Human Services (HHS) does not officially issue or recognize any form of HIPAA compliance certification.