Is Cerner HIPAA compliant? (2025 update)

Based on our research, Cerner, now part of Oracle Health, is HIPAA compliant because it meets the requirements set by the U.S. Department of Health and Human Services (HHS) to safeguard protected health information (PHI), provided that customers sign a business associate agreement (BAA) and configure the services correctly.

What is Cerner?

Cerner, now part of Oracle Health, offers a wide range of healthcare technology solutions, including electronic health records (EHRs), data and analytics platforms, and cloud infrastructure. Cerner provides hospitals, clinics, and health systems with tools to manage patient care, operations, and business processes. Cerner can be HIPAA compliant when used under a signed BAA and configured in alignment with HIPAA standards.

Will Cerner sign a business associate agreement (BAA)?

Yes, Cerner will sign a business associate agreement. 

What does the Cerner BAA cover?

The Cerner BAA covers the use and disclosure of protected health information (PHI) when Cerner services are used under the agreement. The terms state:

“Cerner shall not Use or Disclose PHI other than as permitted or required by the Agreement, this BAA, or as Required By Law.”

Their BAA covers:

• Protection of PHI
• Limitations on use and disclosure of PHI
• Safeguards to prevent unauthorized access
• Reporting of security incidents and breaches
• Cooperation with HHS investigations
• Patient rights requests (access, amendment, and accounting of disclosures)
• Return or destruction of PHI upon termination

However, the BAA also makes clear that:

“Cerner shall not be responsible for compliance with HIPAA or the HIPAA Rules by Customer, except as expressly provided in this BAA.”

This means customers are ultimately responsible for configuring and using Cerner services in a HIPAA-compliant manner.

Is Cerner HIPAA compliant?

Cerner signs a BAA and can therefore be HIPAA compliant. However, compliance depends on how customers configure and use Cerner services, since Cerner shifts responsibility for HIPAA compliance outside its expressly covered obligations.

The HIPAA compliant solution: Paubox

Paubox has developed a HIPAA compliant email and texting solution that makes it easier for providers to connect with their patients. It eliminates the need for third-party apps or logins, allowing patients to receive secure, encrypted texts and emails directly on their phones.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is HIPAA?

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

What is a business associate agreement?

A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.