8

There's a recent startup out of YC which seems interesting called Truevault.com, which allows you to store JSON documents in their database via an API and is HIPAA compliant.

I am working on a healthcare app, and am wondering which is a better strategy in terms of HIPAA compliance:

1) Heroku + Truevault - easier deployment initially but Heroku won't sign Business Associate Agreement, so not sure if this is truly HIPAA complicant even if I don't store PHI on the heroku server or temporarily store it there.

2) Run everything on Amazon EC2 - Amazon will sign BAA so no issue here, but will have to do server maintenance myself (rather not)

3) Heroku + Amazon S3 database - run server on Heroku but store everything on S3, Amazon to sign BAA

Anyone with experience what would be most compliant yet practical? Thanks in advance.

Dave Tsay
  • 409
  • 1
  • 5
  • 14
  • This article discusses several different approaches to deploying HIPAA-compliant software: http://innolitics.com/articles/deploying-hipaa-compliant-software/ . Regarding (1) and (3), if Heroku has access to unencrypted PHI, you need a BAA with them. You can get around this by having your web app talk to Truevalut directly. See item six in the link. I think (2) is probably your best bet. – jdg Jun 11 '18 at 17:33

2 Answers2

5

Aptible are working on a platform to do exactly that, i.e. automating HIPAA compliance where possible, training you on the stuff you need to do yourself, and letting you build systems on standard databases and ecosystems. They're in private beta at the moment.

Disclaimer: I'm not associated with them, but I did meet the founders today and they're an approachable, clever bunch.

Emerson Farrugia
  • 10,209
  • 3
  • 39
  • 46
3

Without knowing specifics about how your application works, its likely that you will have to run all of your application on EC2 and other amazon web services.

Heroku nodes are basically EC2 instances with a bit of automation on top, turning it more of a platform than infrastructure. However, if you are working in a field that requires legal compliance on how your data is handled, not having full control may be a bad thing. You can do much of the automation heroku does with tools like Chef and Puppet.

Also, if you do use EC2, make sure your infrastructure is configured in VPC is the way to go. Ads a bit of extra work, but gives you more control over network access to different instances.

S3 is not really a database, its an object store. Its basically a key/value store with keys that look like file paths. And it can store some very very large values.

datasage
  • 18,353
  • 2
  • 43
  • 50
  • Thanks - this is sort of what I suspected, but I'd love to find a solution that requires less server maintenance. So I suppose using an API such as Truevault, my main application would need to run on a local server – Dave Tsay Apr 04 '14 at 11:58
  • @DaveTsay Even if you use Truevault to store the more sensitive data, you will likely need to have a database running locally for other parts of your application. – datasage Apr 04 '14 at 12:49
  • @DaveTsay, check out www.atlashealth.com, specifically the Managed Cloud offering (I'm on the management team and founder). You'll get a fully managed AWS environment which we set up and maintain, so that all you have to worry about are deployments. The cost of the service is $199 per month (plus AWS usage fees, excluding the $2 dedicated fee surcharge, which we cover). We sign BAA's too. – Phil Misiowiec Apr 16 '14 at 21:30
  • 1
    We also offer an API for storage and other data needs but it's better suited to specific use cases, such as mobile apps. In the case of a Web application, PHI will likely flow through the entire stack. Therefore, even if you're passing off the data to an API, the service handling the post-back (e.g. Heroku) would be considered a HIPAA subcontractor per the recent "omnibus" rule and would need to sign a BAA. – Phil Misiowiec Apr 16 '14 at 21:33