by Hoala Greevy Founder CEO of Paubox
Article filed in

Can I use Heroku and be HIPAA Compliant?

by Hoala Greevy Founder CEO of Paubox

Can I use Heroku and be HIPAA Compliant? - Paubox

From time to time, we get asked by customers and prospects about Heroku and their ability to use it in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Heroku offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Heroku

Heroku is a cloud Platform as a Service (PaaS). It supports several programming languages including Java, Node.js, Scala, Clojure, Python, PHP, and Ruby.

Known as one of the first cloud platforms, Heroku launched in 2007. In 2010, it was bought by Salesforce for $212 million.

Heroku and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Heroku’s site and found a page called Heroku Security, Privacy, and Compliance.

In it, Heroku states:

“Customers who want to build healthcare applications on Heroku that complies with US HIPAA can contact sales@heroku.com regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance.”

Heroku Shield for HIPAA Compliance

We also found a blog post from 6 June 2017 called “Introducing Heroku Shield: Continuous Delivery for High Compliance Apps.”

The post specifically mentions Heroku’s new support for HIPAA compliance:

“Heroku Shield introduces new capabilities to Dynos, Postgres databases and Private Spaces that make Heroku suitable for high compliance environments such as healthcare apps regulated by the Health Insurance Portability and Accountability Act (HIPAA).”

We can infer that some, but not all of Heroku can be configured for HIPAA compliant service.

Does Heroku Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Heroku offers a BAA that would be added to their Master Subscription Agreement, we conclude that Heroku can be configured to be a HIPAA compliant service.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Heroku can be configured to be HIPAA Compliant. Make sure you sign a BAA with Heroku first.

Copy link
Powered by Social Snap