HIPAA & BAA · EHR / practice management (enterprise)
Is Oracle Health (Cerner) HIPAA compliant?
Yes. Oracle Health (formerly Cerner) signs a HIPAA BAA covering PHI handled through its EHR and hosted/managed services; Oracle also publishes a standard Business Associate Agreement.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Enterprise services agreement
- Official source: Oracle Health Business Associate Agreement (PDF) — https://www.oracle.com/a/ocom/docs/business-associate-agreement.pdf (verified 2026-06)
How to use Oracle Health (Cerner) in a HIPAA-compliant way
- Request the current BAA addendum from your Oracle Health account manager as part of the services agreement.
- Verify the BAA scope covers the specific Oracle Health/Cerner Millennium products and hosted services you use.
- Have legal and your privacy officer review and execute the agreement before production PHI use.
- Treat any third-party app built on Cerner FHIR/HL7 interfaces as a separate business associate needing its own BAA.
- Store the executed BAA and reassess on renewal or scope changes.
Important caveats
- Oracle's published BAA PDF is a general/supplier-facing template; confirm your specific EHR BAA terms with your account team.
- Integrations and downstream subcontractors require independent BAA assessment.
- The BAA alone does not confer compliance—configuration and the practice's safeguards remain the customer's responsibility.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Oracle Health (Cerner) correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Oracle Health (Cerner).
Frequently asked questions
Does Oracle Health (Cerner) sign a BAA?
Yes. Enterprise services agreement A signed BAA is required before any PHI is involved.
Is Oracle Health (Cerner) HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Oracle Health (Cerner) offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Oracle Health (Cerner) with PHI?
Oracle's published BAA PDF is a general/supplier-facing template; confirm your specific EHR BAA terms with your account team.