1 min read

Is Cerner HIPAA compliant? (2025 update)

Picture of Kirsten Peremore Kirsten Peremore October 06, 2025

HIPAA compliant software
Is Cerner HIPAA compliant? (2025 update)

Cerner, now part of Oracle Health, offers a wide range of cloud and enterprise software solutions, including infrastructure, databases, and applications for managing business operations, data, and analytics. 

Is Cerner HIPAA compliant? Yes, Cerner can be HIPAA compliant when customers sign a business associate agreement BAA and configure their services accordingly.

 

Will Cerner sign a business associate agreement (BAA)?

Yes, Cerner will sign a business associate agreement.

 

What does the Cerner BAA cover?

The Cerner BAA covers the use and disclosure of protected health information (PHI) when Cerner services are used under the agreement. The terms state:

"Cerner shall not Use or Disclose PHI other than as permitted or required by the Agreement, this BAA, or as Required By Law."

Their BAA covers:

  • Protection of PHI
  • Limitations on use and disclosure of PHI
  • Safeguards to prevent unauthorized access
  • Reporting of security incidents and breaches
  • Cooperation with HHS investigations
  • Patient rights requests (access, amendment, and accounting of disclosures)
  • Return or destruction of PHI upon termination

What does the Cerner BAA exclude?

Cerner specifies limitations in its BAA. The agreement notes that Cerner will only handle PHI as necessary to perform contracted services and is not responsible for a customer’s internal misconfigurations or misuse. The BAA states:

"Cerner shall not be responsible for compliance with HIPAA or the HIPAA Rules by Customer, except as expressly provided in this BAA.

This means the customer is ultimately responsible for using Cerner services in a HIPAA-compliant manner.

 

Conclusion

Cerner signs a BAA and can therefore be HIPAA compliant. However, compliance depends on customers configuring and using Cerner services correctly, since Cerner shifts responsibility for HIPAA compliance outside its covered obligations.

Learn more: HIPAA Compliant Email: The Definitive Guide

 

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

 

What is HIPAA?

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

 

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.