HIPAA Compliance


The SpiderOak desktop applications SpiderOak ONE and Semaphor are HIPAA-compliant as a Business Associate. As its standard offering, SpiderOak ONE provides a cloud backup and storage system that complies with both the Privacy Rule and Security Rule. Semaphor is a chat tool for real-time conversations and file-sharing that also complies with both the Privacy Rule and Security Rule.


SpiderOak supports certain customers that are subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (collectively, “HIPAA”). Under HIPAA, companies have obligations to meet certain privacy and security standards with regard to Protected Health Information (“PHI”).

In order to comply with HIPAA, Covered Entities, which are defined in the HIPAA rules to include: (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which Health & Human Services (“HHS”) has adopted standards, must act in an effort to ensure that patient information is both private and secure. To guide organizations in fulfilling their HIPAA obligations, HHS has published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The “Privacy Rule,” or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for keeping certain health information confidential. The Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) establish a national set of security standards for keeping certain health information secure while it is being held or transferred in electronic form.

Organizations that act in support of Covered Entities, as defined in HIPAA, are “Business Associates.” Cloud storage providers, such as SpiderOak, that support Covered Entities through the storage of PHI are Business Associates.

The latest update to HIPAA requires, among others, healthcare providers, medical institutions, and cloud storage services supporting those entities where PHI is involved to be compliant with HIPAA rules and regulations. If they are found not to be in compliance, they may have to pay fines up to $1.5 million dollars. In order to comply with HIPAA, cloud service providers have to enforce stringent security policies for protecting the privacy and confidentiality of user data.

With its Zero Knowledge privacy approach, the SpiderOak ONE desktop and Semaphor desktop and mobile applications encrypt the data on the user’s device before uploading the data to the cloud or syncing it across other devices. The data remains encrypted until the user requests the data, which is then delivered back to the user’s computer in its encrypted state until the user decrypts it with the password.

Because the SpiderOak ONE and Semaphor desktop applications store user data in encrypted form, it also provides the highest degree of protection against security breaches. When sensitive information is stored in plaintext form, there is always a risk of data being compromised during cyber attacks, resulting in compliance violations. Even if unauthorized personnel are able to access the server, all they can see is encrypted, unintelligible data.

You can find the SpiderOak Business Associate Agreement request form here. For any inquiries regarding PHI, HIPAA, security, privacy, please contact compliance@spideroak.com, Attn: HIPAA Compliance.