Heroku HIPAA Compliance

Question

Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health info

Answer 1

HIPAA compliance involves a number of different areas, including more than just technology. Specifically regarding the technology requirements within HIPAA, there are a bunch of requirements, but the one that you most obviously can't meet with Heroku is this one:

164.314 Organizational requirements. (B) (B) In accordance with 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section;

You need a BAA from Heroku. HIPAA doesn't distinguish between encrypted and unencrypted data when it defines subcontractors and business associates. For a good sense of all that is required of HIPAA, here's a comprehensive list - https://catalyze.io/hipaa/. Hope that helps.