HIPAA

Please refer to our Compliance Guidance page for an overview of our HIPAA-compliant cloud hosting and overall compliance program, including security & compensating controls, and a general allocation of responsibility.

Overview

Upsun provides a Platform as a Service (PaaS) solution that our customers may use for applications requiring HIPAA compliance. All HIPAA workloads will run on the US-4 region.

Upsun has SOC 2 Type 2 and PCI certifications. As a part of those third-party audits, we have been audited on overlapping HIPAA controls. Independent third-party audits provide an external examination of the controls we have implemented on our infrastructure and operations and ensure Upsun’s commitment to complying with information security standards and industry best practices.

Please note that there is no certification recognized by the US Department of Health & Human Services for HIPAA compliance. Thus, complying with HIPAA is a shared responsibility between the customer and Platform.sh.

Responsibility

Customers who want to run healthcare workloads on Platform.sh must agree to the following:

• The Customer must sign up for our Dedicated offering or Grid offering, with Grid being part of a bundled plan.
• The Customer must sign a Business Associate Agreement with Platform.sh.
• The Customer implements the relevant controls contained in the Platform.sh HIPAA Shared Responsibility Matrix (Excel). This document provides guidance on shared responsibilities required to achieve HIPAA compliance.
• The Customer is solely responsible for any of its applications’ security.
• The Customer must run HIPAA workloads on the HIPAA designated region and is responsible for managing access to all environments that are included in the HIPAA designated region.
• The Customer must use Fastly WAF or a Platform.sh-approved equivalent HIPAA-compliant WAF.
• The Customer will perform, at a minimum on an annual basis, penetration testing and vulnerability scanning against their projects in accordance with industry standards, and will remediate findings in an expedited manner.
• The Customer need to redeploy applications regularly to be able to pick up patches.

While Upsun provides a secure and compliant infrastructure for HIPAA projects, the customer is responsible for ensuring that the environment and applications that they host on Upsun are properly configured and secured according to HIPAA requirements. Failure to do so results in a non-compliant customer environment.

Customers can contact their Upsun Account Manager to request a Business Associate Agreement or for more information regarding our HIPAA offering.