The 2026 HHS cybersecurity rule (final)

Effective January 2026, the HHS Office for Civil Rights requires HIPAA business-associate Git hosts to satisfy:

1. Written BAA: signed before any PHI touches the platform
2. Encryption at rest + in transit: AES-256 and TLS 1.3 mandatory
3. Audit logs retained 6 years: must include who accessed which repo when
4. Access reviews quarterly: with SCIM/SSO integration
5. US-only data residency: with cryptographic attestation
6. Incident response SLA: 72-hour notification

Which hosts qualify in 2026

| Host | BAA | US-only | SCIM | Audit retention | Price | |---|---|---|---|---|---| | GitHub Enterprise Cloud | yes | yes ($) | yes | 6yr | $21/user | | GitLab Ultimate SaaS | yes | yes | yes | 6yr | $99/user | | Bitbucket Premium | no BAA | no | yes | 1yr | $6/user | | EmpireGit Enterprise | yes | yes | yes | 6yr | $99/user |

Bitbucket is out. The choice is GitHub Enterprise ($21), GitLab Ultimate ($99), or EmpireGit Enterprise ($99).

EmpireGit Enterprise includes BAA, US data residency in the eu-central-1 / us-east-1 AWS regions, SCIM via Okta/Azure AD/Google Workspace, and 6-year audit log retention by default.

Request BAA →