Cresta’s Commitment to HIPAA

Cresta furthers its commitment to security and privacy through the support for HIPAA compliance.

HIPAA and Cresta

Today, Cresta is excited to announce that it has met the requirements set forth by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a business associate. With this announcement, covered entities and business associates subject to HIPAA can use Cresta’s HIPAA-eligible products and may execute a Business Associate Agreement (BAA) with Cresta.


Our customer base at Cresta consists of Fortune 100 companies who care greatly about the security and privacy of their data. Cresta currently maintains compliance with SOC 2 Type II, ISO/IEC 27001:2013, ISO/IEC 27701:2019, and PCI-DSS SP Level 2 in effort to reinforce our belief that the protection of customer data is of top importance. HIPAA is a natural next step for us in this journey to be able to serve an even wider array of clients who operate in or with the healthcare industry.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. Federal Law imposed on covered entities (i.e. healthcare providers, health plans, healthcare clearinghouses) to protect the privacy and security and protected health information (PHI) and electronic personal health information (ePHI). The scope of HIPAA was expanded in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH), and sets additional technical standards with respect to the confidentiality, integrity, and availability of PHI/ePHI.

When a covered entity wants to use a third party vendor that processes or stores PHI/ePHI, such as Cresta, the third party vendor would be classified as a business associate under HIPAA. These business associates are also subject to the HIPAA standard and must provide covered entities (and other business associates) with a Business Associate Agreement (BAA). This agreement outlines the business associate’s safeguards for the protection of PHI/ePHI, and clarifies the permitted and required uses and disclosures of PHI/ePHI by the business associate.

Ongoing Efforts

HIPAA compliance is not a one-and-done milestone – it’s a commitment that Cresta will continually audit and safeguard its environment to ensure the ongoing security and privacy of customer data. Cresta has over 100 employees globally and a dedicated security and compliance team to help strengthen the security of our company and product offerings as we continue to serve our enterprise clients. To learn more about Cresta’s Security and Compliance program, please visit Cresta’s Trust page.