发表新帖
发表新帖

Heroku HIPAA Compliance

后端 未结
关注
4 1417
时光取名叫无心
时光取名叫无心 2021-02-19 15:26

Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health info

相关标签:
4条回答
  • 青春惊慌失措
    2021-02-19 15:52

    Heroku has announced their Shield accounts that will provide HIPAA compliance.

    From the link

     The Shield Private Dyno includes an encrypted ephemeral file system
 and restricts SSL termination from using TLS 1.0 which is considered 
 vulnerable. Shield Private Postgres further guarantees that data is 
 always encrypted in transit and at rest. Heroku also captures a high 
 volume of security monitoring events for Shield dynos and databases 
 which helps meet regulatory requirements without imposing any extra 
 burden on developers.

    That may or may not obviate the need for BAA's, MOU's, etc.

    0 讨论(0)
  • 天命终不由人
    2021-02-19 15:53

    HIPAA compliance involves a number of different areas, including more than just technology. Specifically regarding the technology requirements within HIPAA, there are a bunch of requirements, but the one that you most obviously can't meet with Heroku is this one:

    164.314 Organizational requirements. (B) (B) In accordance with 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section;

    You need a BAA from Heroku. HIPAA doesn't distinguish between encrypted and unencrypted data when it defines subcontractors and business associates. For a good sense of all that is required of HIPAA, here's a comprehensive list - https://catalyze.io/hipaa/. Hope that helps.

    0 讨论(0)
  • 长发绾君心
    2021-02-19 16:05

    Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.

    To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.

    0 讨论(0)
  • 小蘑菇
    2021-02-19 16:10

    Heroku has told me they will not sign Business Associate Agreements at the moment, so if you store any PHI on the server it is not possible to be HIPAA compliant.

    0 讨论(0)
 看不清?
提交回复
热议问题