Can I use Heroku and be HIPAA compliant?

Featured image

Share this article

Can I use Heroku and be HIPAA Compliant? - Paubox

From time to time, we get asked by customers and prospects about Heroku and their ability to use it in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Heroku offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Heroku

Heroku is a cloud Platform as a Service (PaaS). It supports several programming languages including Java, Node.js, Scala, Clojure, Python, PHP, and Ruby.

Known as one of the first cloud platforms, Heroku launched in 2007. In 2010, it was bought by Salesforce for $212 million.

Heroku and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Heroku’s site and found a page called Heroku Security, Privacy, and Compliance.

In it, Heroku states:

“Customers who want to build healthcare applications on Heroku that complies with US HIPAA can contact [email protected] regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance.”

Heroku Shield for HIPAA Compliance

We also found a blog post from 6 June 2017 called “Introducing Heroku Shield: Continuous Delivery for High Compliance Apps.”

The post specifically mentions Heroku’s new support for HIPAA compliance:

“Heroku Shield introduces new capabilities to Dynos, Postgres databases and Private Spaces that make Heroku suitable for high compliance environments such as healthcare apps regulated by the Health Insurance Portability and Accountability Act (HIPAA).”

We can infer that some, but not all of Heroku can be configured for HIPAA compliant service.

Does Heroku Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Heroku offers a BAA that would be added to their Master Subscription Agreement, we conclude that Heroku can be configured to be a HIPAA compliant service.

[alert-note]

Google Workspace email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

[/alert-note]

Conclusion: Heroku can be configured to be HIPAA Compliant. Make sure you sign a BAA with Heroku first.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022