Did you know? HIPAA on Engine Yard

This is the first in a series of blog posts, intended to shed some light on features of the Engine Yard Platform. Engine Yard has a number of features and functions that many of our clients don’t know about, many of which can provide vast benefits.

HIPAA, or the Health Insurance Portability and Accountability Act, is a compliance act meant to help protect U.S. patient data in this ever-changing technological world. Any company that provides healthcare treatment (a covered entity) or has access to patient data (a business associate) must adhere to HIPAA compliance. Figuring out who is a covered entity is easy, since it is most often the company offering health coverage or services, while the business associate might be a bit more complicated. Many healthcare applications in the cloud today must adhere to HIPAA compliance since they qualify as the business associate. There are a few ways in which Engine Yard can help an online healthcare company achieve HIPAA compliance.

Part of HIPAA compliance states that all PHI (protected health information) must be stored on dedicated VM’s, as well as have the data encrypted. The first task is easily accomplished, since the Engine Yard platform allows dedicated VMs to be provisioned by just enabling a feature flag. If you are a healthcare company looking to use Engine Yard for your application management, just open a ticket to get access to these VMs. For the second part, Engine Yard clients can boot up these dedicated VMs with encrypted EBS volumes attached to them, where all client data will reside. This takes care of the vital “encryption of data at rest” part of HIPAA compliance right out of the box, simply check “use encrypted volumes” when choosing your instance types and you’re one step closer to HIPAA compliance. It is important to remember that applications are still required to have a solution for encrypting the data in transit, which is best accomplished at the app-layer.

Engine Yard has also passed the SOCII Type 2 audit, and is willing to sign a BAA (a Business Associate Agreement) with any clients who are in need of becoming HIPAA compliant. In the world of HIPAA, any company that might have access to PHI data becomes another covered entity, meaning a BAA must be signed all the way down the chain in order to achieve compliance. For example, if you were passing any PHI data to a third party a signed BAA would be required with that party. However, Engine Yard has taken care of all of the parts of the chain beyond us, so when a client signs a BAA with Engine Yard, it then extends to AWS. Essentially making it so you only need to have one BAA signed for the entire chain to be covered. Any clients who are looking to obtain a copy of the SOCII Type 2 audit report or looking to have a BAA signed need simply to open a support ticket.

In the end, creating an application that adheres to HIPAA compliance is complicated, and sometimes a headache. With features Engine Yard has made available to you, getting there will be much less of a burden. There are still some aspects of HIPAA compliance that you will need to take on yourself, but with the automation of the Engine Yard Platform and the support of our customer success team you’re one step closer to protecting your customer’s PHI.

If you have any questions around how to get a HIPAA compliant application up and running on Engine Yard, please send an email to [email protected] or file a ticket.