Compliance Overview: HIPAA, SOC 2, and FedRAMP
Who this is for:
Architecture / Concept Overview: Compliance Overview: HIPAA, SOC 2, and FedRAMP
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
Compliance[Compliance Framework] --> HIPAA[HIPAA]
Compliance --> SOC2[SOC 2 Type II]
Compliance --> FedRAMP[FedRAMP Moderate]
HIPAA --> PHI[PHI Protection Controls]
SOC2 --> TSC[Trust Service Criteria]
FedRAMP --> NIST[NIST 800-53 Controls]
PHI --> Platform[Platform Controls]
TSC --> Platform
NIST --> Platform
Compliance:::governance
HIPAA:::processing
SOC2:::processing
FedRAMP:::processing
PHI:::storage
TSC:::storage
NIST:::storage
Platform:::serving
*Compliance framework hierarchy: multiple standards map to a common set of platform controls implemented in Databricks.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
CSP[Compliance Security Profile] --> Encryption[Enhanced Encryption]
CSP --> Monitoring[Enhanced Monitoring]
CSP --> Network[Network Hardening]
CSP --> Compute[Compute Restrictions]
Compute --> CIS[CIS Benchmark Compliance]
Monitoring --> AuditLogs[Immutable Audit Logs]
AuditLogs --> Evidence[Audit Evidence Package]
CSP:::governance
Encryption:::processing
Monitoring:::ingestion
Network:::storage
Compute:::serving
CIS:::source
AuditLogs:::ingestion
Evidence:::source
*Compliance Security Profile: enables enhanced controls across encryption, monitoring, network, and compute to satisfy regulatory requirements.*
Key Terms
Prerequisites and Setup
- Databricks Enterprise tier (required for HIPAA and FedRAMP)
- Signed BAA with Databricks (required for HIPAA workloads)
- Compliance Security Profile enabled at account level
- Customer-managed keys configured for data encryption
- Private connectivity (Private Link) for network isolation
- Audit logging configured for compliance evidence collection
Step-by-Step Implementation
Configuration Reference
| Control | HIPAA | SOC 2 | FedRAMP | Implementation |
|---|---|---|---|---|
| Encryption at Rest | Required | Required | Required | CMK + platform encryption |
| Encryption in Transit | Required | Required | Required | TLS 1.2+ (always on) |
| Access Controls | Required | Required | Required | Unity Catalog + ACLs |
| Audit Logging | Required | Required | Required | System tables + log delivery |
| Network Isolation | Required | Recommended | Required | Private Link + VPC |
| MFA | Required | Required | Required | IdP-enforced |
| Data Retention | 6 years | Per policy | Per agency | Customer-managed storage |
| Incident Response | Required | Required | Required | Shared responsibility |