Martin Lemay

Martin Lemay, Chief Security Officer at Devolutions, plays a key leadership role in driving strong cyber security fundamentals and features across all of our products. Outside work you can catch him trying new restaurants or watching an episode of Walking Dead.

Devolutions’ Statement Regarding PHI and HIPAA

Personal health information (PHI) is data in any form that identifies an individual and that relates to their health, health care, and health history. Globally, the governance of PHI is mandated by different pieces of legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This is a U.S. federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA Security Rule protects information covered by the law.

Devolutions does not store, process, or transmit Personal Health Information (PHI) in any manner whatsoever. However, our products and services may be used to access environments that do contain such information. We recognize that this is a potential concern for some customers. To address this, we conducted a thorough review and assessment of our core products and services against the HIPAA Security Rule requirements. Below are the results of this assessment:

An independent validation of Devolutions Server, Remote Desktop Manager and Devolutions Password Hub's features were determined to be consistent with the Administrative, Physical and Technical requirements of HIPAA’s Security Rule. The solutions are comprehensive and configurable, allowing Covered Entities to adapt their compliance strategy to their operations without compromising security or functionality. Security controls provided by the solutions are consistent with industry standards, as defined by the National Institute of Standards and Technology (NIST SP-800 53r5).

At this time, we also take the opportunity to note that Devolutions Server, Remote Desktop Manager, and Password Hub can help organizations protect PHI by leveraging centrally managed access controls, audit and accountability features, and strong authentication mechanisms. Credentials and communications are protected using strong and industry-proven cryptographic protocols and algorithms (please see our Encryption publicly available document for more details on cryptography). Combined with other controls, such as those covered by our SOC2 Type-II report for Devolutions Password Hub, organizations can rest assured that access to HIPAA-regulated environments will greatly benefit from our solutions.

For more information on our product’s HIPAA reports or if you have any questions, please contact our team by sending an email to

Related Posts

Read more Security posts