Rewind’s HIPAA configuration guide
This guide provides information on how to use Rewind in a HIPAA-compliant manner. It is designed for Rewind customers who have a Business Associate Agreement (BAA) in place or who intend to enter into a BAA with us.
We provide self-controlled configurations to help support your HIPAA compliance efforts. However, it’s your responsibility to ensure that you use Rewind products in a HIPAA-compliant manner. Rewind does not monitor or analyze our customers’ data backups, so it’s essential to implement the necessary procedures to ensure all cloud service integrations backed up by Rewind maintain end-to-end compliance.
Additionally, any cloud service integrations backed up with Rewind must also be operated in a HIPAA-compliant manner. This includes ensuring that you have a signed BAA in place with all relevant integration providers.
Rewind offers HIPAA compliance for the following Cloud Service integrations:
- Backups for Confluence
- Backups for Jira
- Backups for Jira Service Desk
- Backups for Azure DevOps
- Backups for Okta
- Backups for Entra ID
Referred to in Rewind’s Business Associate Agreement as “HIPAA Eligible Services”
Configure your Rewind account
Using Rewind in a HIPAA-compliant manner requires implementing the integration-specific requirements for fields that can’t contain PHI. Please see the integration-specific guidance below and ensure you don’t enter PHI in the indicated fields.
- Enter into a Business Associate Agreement with Rewind.
- Ensure that you don’t enter PHI into any fields indicated below.
- Never include PHI in messages to Rewind’s support team.
WHEN CONTACTING REWIND FOR SUPPORT OR ASSISTANCE DO NOT INCLUDE PHI (OR OTHER SENSITIVE INFORMATION) IN EMAILS, CORRESPONDENCE OR SERVICE TICKETS.
Microsoft Azure DevOps
- Configure Azure DevOps in accordance with Microsoft’s HIPAA compliance requirements. These can be found in the Microsoft Compliance Portal.
- Ensure that no PHI is contained in the following fields:
Item type | Field |
Organization | Account name |
Project | Project name |
File or folder within repository | File names or folder names |
Atlassian Confluence
Configure Confluence according to Atlassian’s HIPAA compliance requirements, which can be found in the Atlassian Support Portal.
- Ensure that you have no PHI in the following fields:
Item type | Field |
Attachments | Title |
Atlassian Jira and Jira Service Desk
- Configure Jira and Jira Service Desk according to Atlassian’s HIPAA compliance requirements, which can be found in the Atlassian Support Portal.
- Ensure that you have no PHI contained in the following fields:
Item type | Field |
Issue attachments | Name |
Okta
- Review Okta requirements for HIPAA compliance, which can be found in the Okta Security Trust Centre.
Entra ID
- Configure Entra ID according to Microsoft’s HIPAA compliance requirements, which can be found in the Microsoft Compliance Portal.
Disclaimer:
Due to changes in law, regulation, or Rewind products or services, we may update or revise this guide from time to time. You may subscribe to notifications through Rewind’s Security Portal.
This document contains Rewind’s requirements for product configurations to ensure the protection of customers’ PHI within the Rewind products mentioned above. This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice. Each Rewind customer should:
- Seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations.
- Make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes don’t conflict with or undermine the security of the configurations outlined in this document.
- PRIOR TO INITIATING ANY BACKUP OF DATA THAT INCLUDES PHI (INCLUDING PRIOR TO ANY TRIAL OF REWIND PRODUCTS), CUSTOMER MUST CONTACT REWIND’S SALES TEAM TO FACILITATE SIGNING A BAA.