HIPAA Compliance on Heroku: Is Heroku HIPAA-Compliant?

7 min read

Updated: May 1, 2023

Flatirons is a full-stack development company that specializes in web applications. We have experience helping clients of all types, including small businesses and large, government agencies, non-profits, and more. Our clients include some of the largest companies in the world, including Fortune 500 companies.

Our specialty is building scalable applications using modern technologies like NodeJS, MongoDB, React/React Native, and Ruby on Rails. In addition to building robust, functional applications, we also specialize heavily in design, to help our clients always put their best foot forward.

Our focus has always been on product development rather than a platform, and for that reason, Heroku has been a godsend. Since starting our company over five years ago, we have leveraged Heroku in many successful projects, and we love it. Heroku allows us to work with numerous platforms and technologies while maintaining a stable and well-documented architecture and eliminating scaling issues. Most importantly, Heroku allows startups and companies without dedicated DevOps teams to easily setup and scale well-maintained architecture.

Flatironsis HIPAA-compliant, and we have built several healthcare applications from scratch to production ready. Not only can we create an application with HIPAA compliance features built-in, but we also offer to consult services to assist you with the implementation of HIPAA compliance into your existing systems.

Heroku helps to keep protected health information safe in a number of ways, one of which is its ability to easily create multiple environments with different configurations and data yet maintain core security features. It is flexible enough to handle both enterprise and startup environments with ease, and this flexibility is one of the things that Flatirons Development loves most.

Is Heroku HIPAA-Compliant?

There is good news and bad news on the HIPAA-compliance front when it comes to heroku. The good news is that yes, Heroku is HIPAA compliant. The bad news is that Heroku will only sign a Business Associate Agreement if your company is willing to use the Heroku Shield Private Spaces. These can be very expensive, and the cost is not approachable for many startups.

HIPAA Compliant Architecture Best Practices

Securing personal health information (PHI) or sensitive data is extremely important to every business that is subject to HIPAA. Some of the areas you need to consider when setting up new HIPAA architecture are:

  1. SSL & TSL Certification Management
  2. Access Controls (IAM permissions)
  3. Isolated Environments
  4. Access Controls and Permissions
  5. Network Security & Configuration
  6. Service Auditing & Logging
  7. Application Auditing & Logging

It is more than possible to setup HIPAA-compliant architecture directly on AWS. But, doing so requires a great deal of knowledge about the topics above and about the various services that AWS offers. This is not entry-level architecture. It will cost time and money to create and maintain.

This is one of the reasons that we love Heroku for HIPAA-compliant architecture. After you sign a Business Associate Agreement with Heroku and get a Heroku Shield Private Space, creating HIPAA-compliant architecture is basically as hard as flipping a switch. Heroku handles almost everything for you.

We are happy to work directly on AWS at Flatirons Development, but we believe that Heroku offers a compelling solution for companies that don’t want to spend a lot of time on setting up or managing servers and prefer working on building out their software products.

HIPAA Compliance on AWS vs. Heroku

Configuring HIPAA compliance on AWS can be a complicated affair, involving a multitude of different services within the AWS marketplace. The more complex the environment, the more care, and attention is needed to ensure compliance, often requiring a dedicated DevOps engineer to design, build and maintain. The below are minimum requirements for a basic reference architecture.

For auditing and logging:

  • Amazon CloudWatch for metric monitoring and threshold alarms.
  • AWS CloudTrail for AWS access logging.

For connectivity:

  • AWS Site-to-Site VPN or AWS Direct Connect to connect with AWS Transit Gateway.

For access control and alerting:

  • Amazon Simple Notification Service (Amazon SNS) for sending email alerts from alarms.
  • AWS Identity and Access Management (IAM) for access control and authorization.

For SSL management:

  • AWS Certificate Manager for issuing and maintaining SSL certificates.

For Database Management:

  • Amazon RDBS

And we haven’t even gotten to the servers yet. As you can see, AWS has a lot of moving parts that must all be configured properly and maintained separately.

Heroku, on the other hand, provides everything required to ensure compliance, and only requires some basic setup steps to ensure HIPAA compliance. One of the key features used to easily configure HIPAA and PCI compliance is Heroku’s Private Shield feature. All of the above-mentioned best practice architecture is pre-built and only needs to be configured (IPs provided, VPNs identified, etc…). Configuring AWS is by no means rocket science, but it does require a great deal more effort and focused experience than a pre-configured enterprise platform like Heroku, which regularly performs audits and maintains PCI, HIPAA, ISO, and SOC compliance.

Signing a Business Associate Addendum (BAA) with Heroku

Because Heroku is a HIPAA-compliant vendor, they will sign a BAA with you. Keep in mind that signing a BAA with Heroku does not mean that your application is HIPAA compliant. It means that if you follow rulers to be HIPAA compliant, and you use Heroku in a HIPAA compliant manner, then your application will be HIPAA compliant. This is the shared responsibility model.

Using Heroku Add-Ons and Third Party Services

When you use Heroku Private Shield for a HIPAA application, make sure that any add-on or third-party service that you use that could have access to PHI is HIPAA compliant. Furthermore, make sure you have a BAA in place before utilizing the service.

Regardless of what cloud infrastructure provider you use, you will need to make sure that third parties are HIPAA-compliant.

Heroku HIPAA Pricing

The cost of HIPAA compliance on Heroku can be prohibitive for some companies. The majority of the cost of HIPAA compliance on Heroku will be the Heroku Shield Private Space. These are billed annually and are very secure and isolated environments. We recommend contacting Heroku sales and seeing whether or not you can pay quarterly and if there is any room to budge on the Heroku Shield Private Space pricing. Who knows. In general, prepare to spend somewhere in the order of a few thousand dollars per month to meet the security requirements associated with PHI and customer data for HIPAA.

While this is expensive, truth be told AWS can get pretty pricey for a good setup of HIPAA-compliant architecture as well. When analyzing whether or not Heroku Private Spaces are worth the money, do a side-by-side comparison of your monthly costs on each. Some additional costs to consider will be Heroku PostgreSQL, Heroku Shield Private Dynos, and Heroku Data for Redis.

With the exception perhaps of Amazon S3 storage and permissions, Heroku literally takes care of all of these items for you. And, on AWS you will be managing the servers yourself, so be prepared to handle any issues or downtime manually. If you can, we feel that the extra cost of using Heroku for HIPAA is worth it.

Flatirons Development is a HIPAA-Compliant Software Vendor

Flatirons Development has a wealth of experience setting up HIPAA-compliant architecture, whether it’s on Heroku, AWS, or Google Cloud. We understand the security requirements for having a well-designed HIPAA architecture and have the knowledge and experience to help with the processes and best practices to ensure organizational compliance. Contact us for help.

More ideas.

Popular Apps Built with Flutter

Flatirons Development

Jun 13, 2023
transportation management system

Guide to Transportation Management System

Flatirons Development

Jun 12, 2023

Top 10 Web Programming Languages for 2024

Flatirons Development

Jun 09, 2023

Vehicle Routing Optimization Algorithms

Flatirons Development

Jun 05, 2023

The Top Node.js Backend Frameworks

Flatirons Development

Jun 02, 2023

The Difference Between Google Universal Analytics and GA4

Flatirons Development

May 29, 2023