From time to time, we get asked by customers and prospects about Heroku and their ability to use it in a HIPAA compliant manner. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:
The purpose of this post is to determine if Heroku offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Heroku is a cloud Platform as a Service (PaaS). It supports several programming languages including Java, Node.js, Scala, Clojure, Python, PHP, and Ruby. Known as one of the first cloud platforms, Heroku launched in 2007. In 2010, it was bought by Salesforce for $212 million.
Heroku and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked Heroku's site and found a page called Heroku Security, Privacy, and Compliance. In it, Heroku states: "Customers who want to build healthcare applications on Heroku that complies with US HIPAA can contact firstname.lastname@example.org regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance."
Heroku Shield for HIPAA Compliance
We also found a blog post from 6 June 2017 called " Introducing Heroku Shield: Continuous Delivery for High Compliance Apps." The post specifically mentions Heroku's new support for HIPAA compliance: "Heroku Shield introduces new capabilities to Dynos, Postgres databases and Private Spaces that make Heroku suitable for high compliance environments such as healthcare apps regulated by the Health Insurance Portability and Accountability Act (HIPAA)." We can infer that some, but not all of Heroku can be configured for HIPAA compliant service.
Does Heroku Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since Heroku offers a BAA that would be added to their Master Subscription Agreement, we conclude that Heroku can be configured to be a HIPAA compliant service.
Google Workspace email isn't HIPAA compliant out of the box.
Conclusion: Heroku can be configured to be HIPAA Compliant. Make sure you sign a BAA with Heroku first.