HIPAA Compliance on Heroku: Is Heroku HIPAA-Compliant?

Is Heroku HIPAA-Compliant?

There is good news and bad news on the HIPAA-compliance front when it comes to heroku. The good news is that yes, Heroku is HIPAA compliant. The bad news is that Heroku will only sign a Business Associate Agreement if your company is willing to use the Heroku Shield Private Spaces. These can be very expensive, and the cost is not approachable for many startups.

HIPAA Compliant Architecture Best Practices

Securing personal health information (PHI) or sensitive data is extremely important to every business that is subject to HIPAA. Some of the areas you need to consider when setting up new HIPAA architecture are:

1. SSL & TSL Certification Management
2. Access Controls (IAM permissions)
3. Isolated Environments
4. Access Controls and Permissions
5. Network Security & Configuration
6. Service Auditing & Logging
7. Application Auditing & Logging

It is more than possible to setup HIPAA-compliant architecture directly on AWS. But, doing so requires a great deal of knowledge about the topics above and about the various services that AWS offers. This is not entry-level architecture. It will cost time and money to create and maintain.

This is one of the reasons that we love Heroku for HIPAA-compliant architecture. After you sign a Business Associate Agreement with Heroku and get a Heroku Shield Private Space, creating HIPAA-compliant architecture is basically as hard as flipping a switch. Heroku handles almost everything for you.

We are happy to work directly on AWS at Flatirons, but we believe that Heroku offers a compelling solution for companies that don’t want to spend a lot of time on setting up or managing servers and prefer working on building out their software products.

HIPAA Compliance on AWS vs. Heroku

Configuring HIPAA compliance on AWS can be a complicated affair, involving a multitude of different services within the AWS marketplace. The more complex the environment, the more care, and attention is needed to ensure compliance, often requiring a dedicated DevOps engineer to design, build and maintain. The below are minimum requirements for a basic reference architecture.

For auditing and logging:

For connectivity:

For access control and alerting:

For SSL management:

For Database Management:

And we haven’t even gotten to the servers yet. As you can see, AWS has a lot of moving parts that must all be configured properly and maintained separately.

Heroku, on the other hand, provides everything required to ensure compliance, and only requires some basic setup steps to ensure HIPAA compliance. One of the key features used to easily configure HIPAA and PCI compliance is Heroku’s Private Shield feature. All of the above-mentioned best practice architecture is pre-built and only needs to be configured (IPs provided, VPNs identified, etc…). Configuring AWS is by no means rocket science, but it does require a great deal more effort and focused experience than a pre-configured enterprise platform like Heroku, which regularly performs audits and maintains PCI, HIPAA, ISO, and SOC compliance.

Signing a Business Associate Addendum (BAA) with Heroku

Because Heroku is a HIPAA-compliant vendor, they will sign a BAA with you. Keep in mind that signing a BAA with Heroku does not mean that your application is HIPAA compliant. It means that if you follow rulers to be HIPAA compliant, and you use Heroku in a HIPAA compliant manner, then your application will be HIPAA compliant. This is the shared responsibility model.

Using Heroku Add-Ons and Third Party Services

When you use Heroku Private Shield for a HIPAA application, make sure that any add-on or third-party service that you use that could have access to PHI is HIPAA compliant. Furthermore, make sure you have a BAA in place before utilizing the service.

Regardless of what cloud infrastructure provider you use, you will need to make sure that third parties are HIPAA-compliant.

Heroku HIPAA Pricing

The cost of HIPAA compliance on Heroku can be prohibitive for some companies. The majority of the cost of HIPAA compliance on Heroku will be the Heroku Shield Private Space. These are billed annually and are very secure and isolated environments. We recommend contacting Heroku sales and seeing whether or not you can pay quarterly and if there is any room to budge on the Heroku Shield Private Space pricing. Who knows. In general, prepare to spend somewhere in the order of a few thousand dollars per month to meet the security requirements associated with PHI and customer data for HIPAA.

While this is expensive, truth be told AWS can get pretty pricey for a good setup of HIPAA-compliant architecture as well. When analyzing whether or not Heroku Private Spaces are worth the money, do a side-by-side comparison of your monthly costs on each. Some additional costs to consider will be Heroku PostgreSQL, Heroku Shield Private Dynos, and Heroku Data for Redis.

With the exception perhaps of Amazon S3 storage and permissions, Heroku literally takes care of all of these items for you. And, on AWS you will be managing the servers yourself, so be prepared to handle any issues or downtime manually. If you can, we feel that the extra cost of using Heroku for HIPAA is worth it.

Flatirons is a HIPAA-Compliant Software Vendor

Flatirons provides custom healthcare software services and has a wealth of experience setting up HIPAA-compliant architecture, whether it’s on Heroku, AWS, or Google Cloud. We understand the security requirements for having a well-designed HIPAA architecture and have the knowledge and experience to help with the processes and best practices to ensure organizational compliance. Contact us for help.