|
You are correct in understanding there is a bifurcation between the infrastructure and application levels. You, as the software developer, will be largely responsible for the application-level security and privacy. The infrastructure obligations are extremely complex and go much deeper than you might imagine upon first blush. For the ease of math, let's say at the infrastructure level it takes "10" things be HIPAA compliant. An IaaS vendor like AWS will do about 1/10th of it, and do it very well. Mostly the firewall and physical safeguards. They do sign a BAA and claim to be HIPAA Compliant, but you need to keep in mind that it's only for a fraction of what you're ultimately responsible for. The other 9/10ths is nontrivial. It includes things like encryption, monitoring, vulnerability scanning, breach policies, how you handle your logs. Lots of things. The difference between hosting on AWS vs. hosting on Heroku will be how many of those 9/10ths Heroku will automate for you, and then—here's the kicker—that they agree to in their Business Association Agreement with you. Even if they do the other 9/10ths, if they won't sign a BAA with you, then you're still at risk. In essence AWS is an IaaS vendor who will sign a BAA that does a few compliant things, but you still have a long long journey ahead of you. You could build your own, certainly, on either AWS or Heroku. You could also look for a HIPAA Compliant Platform as a Service (PaaS) who automates the other 9/10ths and then signs a BAA for those things. The company I work for, Catalyze, is just that. We basically are the other 9/10ths on top of AWS, sign a BAA for it, and stand behind you with a HITRUST Certification. The guide we wrote up on HIPAA Compliance might be of use to you: https://catalyze.io/hipaa-compliance. Also, our Academy entries might be helpful to understand the complexities: https://catalyze.io/learn. For some super nerdy technical explanations, take a look at how Catalyze approaches the other "9/10ths" here: https://hipaa.catalyze.io |