From time to time, we get asked by customers and prospects about Heroku and their ability to use it in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:
The purpose of this post is to determine if Heroku offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Heroku
Heroku is a cloud Platform as a Service (PaaS). It supports several programming languages including Java, Node.js, Scala, Clojure, Python, PHP, and Ruby.
Known as one of the first cloud platforms, Heroku launched in 2007. In 2010, it was bought by Salesforce for $212 million.
Heroku and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked Heroku’s site and found a page called Heroku Security, Privacy, and Compliance.
In it, Heroku states:
“Customers who want to build healthcare applications on Heroku that complies with US HIPAA can contact sales@heroku.com regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance.”
Does Heroku Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
Since Heroku offers a BAA that would be added to their Master Subscription Agreement, we conclude that Heroku can be configured to be a HIPAA compliant service.
Conclusion: Heroku can be configured to be HIPAA Compliant. Make sure you sign a BAA with Heroku first.
No comments:
Post a Comment