HIPAA Compliant Hosting
* This guide is for informational purposes only and does not constitute legal advice. Organizations are responsible for their own HIPAA compliance programs and should consult qualified legal or compliance professionals as needed.
Introduction
When building a health tech startup, HIPAA compliance is not optional. HIPAA is a federal law, and if your product handles PHI, its requirements apply from day one. The infrastructure you choose to host sensitive patient data directly affects how fast you can move, how much operational work compliance requires over time, and how prepared you’ll be for enterprise security reviews as you grow.
Let’s explore where common platform as a service (PaaS) offerings fall short on HIPAA requirements, where they help, and what actually matters for startups handling PHI.
What is a Platform as a Service (PaaS)?
PaaS providers offer managed cloud environments that handle infrastructure, networking, and deployment pipelines. Startups use these to build and ship applications quickly without needing to manage servers or configurations themselves.
For healthcare startups, the right PaaS must also meet stringent HIPAA and HITECH requirements, protecting electronic protected health information (ePHI) through secure configurations, encryption, and access controls.
What is HIPAA compliance?
HIPAA compliance means meeting the legal requirements of the Health Insurance Portability and Accountability Act for protecting PHI on an ongoing basis, which includes:
Administrative, physical, and technical safeguards (HHS Security Rule Summary)
Secure data encryption in transit and at rest
Access management and audit logging
Breach notification and risk management policies
HIPAA does not prescribe specific technologies. It requires organizations to implement reasonable and appropriate safeguards based on their risk profile.
👉 Learn more in our full guide to HIPAA compliance for startups.
The role of certification and auditing in HIPAA compliant hosting
Demonstrating HIPAA compliance often involves independent verification, even though HIPAA itself does not require formal certification. That is where third-party certifications and audits come in.
Why certifications matter
Frameworks like SOC 2 Type II, ISO 27001, and HITECH demonstrate that a provider’s internal controls and security operations have been independently validated according to the AICPA Trust Service Principles.
These certifications are not vanity badges; they provide independent evidence that a hosting provider’s security controls are designed and operating as intended.
Example: a SOC 2 Type II report validates operational controls over time, while ISO 27001 certification ensures systematic management of information-security risks.
What certifications mean for startups
While not required by HIPAA, certifications like SOC 2 and ISO 27001 are commonly requested by enterprise customers as signals of security maturity. For startups, this translates into several concrete business and operational benefits:
Reduced security-review burden. Enterprise customers can often streamline audits when your infrastructure is already SOC 2 Type II or ISO certified.
Faster sales cycles. Independent verification accelerates vendor-risk approvals.
Peace of mind. Audited environments ensure consistent, repeatable security standards.
The audit process: continuous, not one-and-done
Independent third-party auditors and assessors review operational controls, evaluate technical safeguards, and test processes related to security and compliance over time.
This ongoing review helps ensure the provider’s environment continues to operate as designed as threats evolve and requirements change. These audits do not determine HIPAA compliance, but they provide evidence that security controls are operating consistently and as documented.
Key certifications at a glance
Certification | Overseen by | Focus | Relevance to HIPAA |
|---|---|---|---|
SOC 2 Type II | Security, availability, confidentiality | Verifies control effectiveness over time | |
HITECH | Data protection, enforcement | Strengthens HIPAA through auditability | |
ISO 27001 | Global information-security standards | Validates ISMS maturity | |
AICPA Trust Service Principles | Audit framework | Defines security and availability controls |
Shared responsibility and certifications
When evaluating a hosting provider, it’s important to understand what their certifications do and do not cover.
A hosting provider’s certifications (such as SOC 2 or ISO 27001) apply to the provider’s own systems, infrastructure, and internal controls. They do not extend to your application logic, data flows, or operational processes.
You remain responsible for how your application handles PHI and for implementing appropriate administrative and application-level safeguards.
Aptible reduces a significant portion of the infrastructure-level shared responsibility by providing pre-configured security controls, monitoring, and encryption, along with audit evidence for those controls.
Understanding business associate agreements (BAAs)
While certifications and audits help demonstrate that security controls are operating as intended, they do not create legal obligations under HIPAA. That legal obligation is established through a business associate agreement (BAA), which governs how PHI is handled and allocates responsibility between you and your hosting provider.
A BAA is not optional. Under HIPAA, any service provider that handles or stores ePHI must sign one.
It outlines how PHI is safeguarded, who is responsible for what, and what happens in a breach.
In short, a BAA is a required legal agreement for HIPAA-compliant hosting relationships, but it does not by itself make an organization compliant. Without a BAA, a provider cannot legally handle PHI on your behalf, regardless of how secure the infrastructure appears.
What a BAA does and does not cover
A strong BAA defines:
Security responsibilities: who manages encryption, backups, and access (these are covered in Sections 3.3, 4.1, and 4.2 of Aptible’s BAA here).
Breach-notification protocols: how and when incidents are reported to you and to HHS (Section 3.4.1 of Aptible’s BAA)
Sub-contractor requirements: providers must have BAAs with all subcontractors who may access PHI (Section 3.5 of Aptible’s BAA)
Responsibility allocation: how obligations are divided between you and the provider in the event of a breach or security incident (Section 4 of Aptible’s BAA)
How Aptible’s BAA works in practice
Aptible’s BAA:
Applies only to Dedicated Environments used to process PHI
Requires Aptible to implement reasonable and appropriate safeguards for ePHI
Commits to breach notification within two calendar days of discovery
Requires subcontractors to meet equivalent privacy and security obligations
Explicitly states that using Aptible alone does not ensure HIPAA compliance
Customers remain responsible for application-level controls, policies, training, risk assessments, and how PHI is handled within their applications.
✍️ NOTE: A signed BAA does not absolve you of HIPAA responsibility. Covered entities must still implement proper administrative, physical, and technical safeguards.
BAAs and shared responsibility in the cloud
In multi-tenant or shared environments, providers typically handle infrastructure compliance, while you handle application-level safeguards. The BAA clarifies this balance and helps startups avoid gaps.
Why BAAs are a differentiator for startups
Many PaaS providers limit BAAs to higher-tier, organization, or enterprise plans, which can make early HIPAA compliance more expensive or operationally complex for startups. Aptible includes a signed BAA with every paid plan that supports PHI.
Provider | BAA availability | Notes |
|---|---|---|
Heroku | Enterprise only | Requires Shield add-on |
Vercel | Enterprise or Pro | Customer manages most safeguards |
Render | Organization or Enterprise | Requires HIPAA-enabled workspace and surcharge |
Railway | By request | Shared-responsibility model |
Aptible | Included | No contract required |
What to look for in a BAA (startup checklist)
Clear definition of PHI and services in scope
Breach-notification timelines (≤ 60 days)
Sub-contractor compliance obligations
Shared-responsibility breakdown
Data deletion or return procedures
Responsibility allocation and breach handling obligations
Aptible’s BAA clearly defines PHI scope, limits PHI processing to dedicated environments, requires equivalent safeguards from subcontractors, commits to breach notification within two calendar days, and outlines return or destruction of PHI upon termination. It also explicitly clarifies shared responsibility, stating that customers remain responsible for application-level and administrative safeguards.
The BAA in action: incident response and beyond
In a security incident, your BAA governs how the provider reports the incident, how both parties cooperate during investigation and remediation, and what information is shared to support required notifications to HHS and affected individuals.
The limits of a BAA and your next steps
A signed BAA is required to legally share PHI with a service provider, but it doesn’t make your organization HIPAA compliant on its own.
Even with a BAA in place, startups remain responsible for how PHI is handled within their own applications and operations. This includes ensuring PHI is not leaking into logs, analytics tools, development environments, or third-party services, and that access to PHI is appropriately restricted and auditable.
After signing a BAA, startups should still:
Conduct regular risk assessments and document remediation plans
Implement and maintain application-level security controls
Train staff on HIPAA policies and incident response procedures
Monitor audit logs and access patterns
Review provider documentation and certifications on an ongoing basis
Understanding shared responsibility in practice
In a HIPAA-compliant architecture, responsibilities are divided across infrastructure and application layers. Aptible manages and operates a wide range of infrastructure-level security controls, including network isolation, host hardening, logging, backups, intrusion detection, and encryption.
Customers remain responsible for application-level controls such as authentication, authorization, PHI access logging, secure data flows, dependency management, and how PHI is used within business logic.
Aptible documents this division of responsibility in detail so customers can clearly understand what the platform covers and where their own obligations begin.
Learn more about Aptible’s security division of responsibilities here.
The compliance gap: how major PaaS providers handle HIPAA
Heroku: HIPAA support available in enterprise tier
Heroku offers its Heroku Shield platform for HIPAA- and PCI-eligible workloads as part of its Enterprise product line. A brief rundown 👇
HIPAA with Heroku
Feature | Availability |
|---|---|
Isolated Environments | ✔ Available (Heroku Private Spaces) |
Offers BAAs | ✔ Available (Enterprise only) (Heroku security and compliance overview) |
Supports technical safeguards | ✔ Available (Shield Postgres, private dynos) |
Automated compliance safeguards | ⚠ Limited, largely customer managed |
Startup-friendly pricing | ❌ Enterprise only |
HIPAA available with no contract/commitment | ❌ Contract required |
Security and compliance reporting | ⚠ Limited reporting |
Compliance support | ❌ Not built in |
Things to keep in mind:
Heroku Shield provides private, isolated networks for HIPAA- and PCI-eligible workloads.
BAAs are available only to Enterprise customers under contract.
Shield includes additional controls such as Shield Postgres and private dynos.
Shield is priced at a premium and is typically only accessible to Enterprise customers, making early adoption difficult for startups.
Render: HIPAA compliance now supported, with caveats
Render now offers HIPAA-enabled workspaces and supports signed BAAs for customers on Organization or Enterprise plans. However, the service still requires customers to manage application-level safeguards and includes usage-based fees.
HIPAA with Render
Feature | Availability |
|---|---|
Isolated Environments | ✔ Available (HIPAA-enabled workspaces) |
Offers BAAs | ✔ Available via dashboard workflow |
Supports technical safeguards | ✔ Available (encryption, access restrictions) |
Automated compliance safeguards | ❌ Partial, customer managed |
Startup-friendly pricing | ⚠ Minimum $250 per month plus 20% surcharge |
HIPAA available with no contract/commitment | ⚠ Requires Organization or Enterprise plan |
Security and compliance reporting | ✔ Audit logs and private networking (Render HIPAA best practices) |
Compliance support | ❌ Not included |
Things to keep in mind:
Customers can enable HIPAA compliance directly in workspace settings.
A 20% surcharge applies to all usage in HIPAA-enabled workspaces.
A BAA is provided after completing the activation flow.
Application-level safeguards remain the customer’s responsibility.
Once enabled, HIPAA compliance cannot be turned off for that workspace.
Vercel: HIPAA compliance supported, with shared responsibility
Vercel supports HIPAA workloads, offers BAAs, and maintains a published shared responsibility model. Pro plans now allow self-serve BAA signing.
HIPAA with Vercel
Feature | Availability |
|---|---|
Isolated Environments | ✔ Partial support on Pro or Enterprise plans |
Offers BAAs | ✔ Available, including Pro self-serve (Vercel changelog) |
Supports technical safeguards | ✔ Available, customer responsible for app controls |
Automated compliance safeguards | ⚠ Partial |
Startup-friendly pricing | ⚠ Mixed, Pro plan access but limited scope |
HIPAA available with no contract/commitment | ✔ For Pro teams, Enterprise optional |
Security and compliance reporting | ✔ SOC 2 and encryption documentation available |
Compliance support | ❌ Not provided |
Things to keep in mind:
Pro users can sign a BAA without upgrading to Enterprise.
Vercel’s shared responsibility model means customers must secure their own data flows and access.
SOC 2 and other compliance reports are available for Enterprise customers.
Startup access is better than before, but diligence is still required.
Railway: HIPAA eligible under shared responsibility
Railway acknowledges HIPAA and offers a compliance overview, but its model is heavily shared, and BAAs are handled by request only.
HIPAA with Railway
Feature | Availability |
|---|---|
Isolated Environments | ✔ Available in certain configurations |
Offers BAAs | ⚠ Available upon request |
Supports technical safeguards | ⚠ Customer responsible for implementation |
Automated compliance safeguards | ⚠ Limited |
Startup-friendly pricing | |
HIPAA available with no contract/commitment | |
Security and compliance reporting | |
Compliance support | ❌ Not offered |
Things to keep in mind:
HIPAA eligibility exists under a shared responsibility model.
Customers must verify controls and handle many safeguards themselves.
BAAs are available but not fully documented publicly.
Suitable for teams with strong internal compliance management.
Aptible: HIPAA compliance built in from day one
Unlike the platforms above, Aptible treats HIPAA as a foundational legal and operational requirement, not a premium add-on. Aptible signs BAAs as part of its baseline Production plan at $499 per month, which includes the majority of infrastructure-level technical and validation controls required for HIPAA, with expert support to guide the rest. That means features like:
HIPAA with Aptible
Feature | Availability |
|---|---|
Isolated Environments | ✔ Available |
Offers BAAs | ✔ Included (Aptible BAA overview) |
Supports technical safeguards | ✔ Default |
Automated compliance safeguards | ✔ Default |
Startup-friendly pricing | ✔ $499/month base fee | Startup Program with free credits your first 6 months |
HIPAA available with no contract/commitment | ✔ Default |
Security and compliance reporting | ✔ Included (Aptible security reports) |
Compliance support | ✔ Available |
Things to keep in mind:
Compliance included by default: Every Aptible Production plan includes a signed BAA and HIPAA-ready infrastructure.
Automation reduces risk: Encryption, backups, intrusion detection, and access controls are configured automatically.
Audit ready from day one: SOC 2 Type II and HITECH-audited systems provide built-in evidence for vendor risk reviews (AICPA SOC 2).
Startup friendly pricing: If you’re a startup, you can apply to the Startup Program to get 6 months of credits (which is equal to half off the Production plan).
End to end support: Aptible offers migration assistance, compliance support, and 24 by 7 monitoring to keep startups secure and audit ready as they grow.
Cost and pricing considerations for HIPAA-compliant hosting
Pricing for HIPAA-compliant hosting varies widely and so does what is actually included.
The right provider can reduce total cost by bundling compliance and infrastructure management.
Managed vs DIY compliance costs
Public clouds like AWS or GCP offer HIPAA-eligible infrastructure, but customers are responsible for configuring, operating, and maintaining compliance controls.
Aptible’s managed compliance automates encryption, logging, access control, and backups, saving startups thousands in engineering hours per year.
While public cloud options might look cheaper up front, the real cost of DIY HIPAA compliance is often much higher in both time and money.
Example cost scenarios
Scenario | Description | Monthly cost | Compliance responsibility |
|---|---|---|---|
DIY on AWS or GCP | Self-managed HIPAA configuration | $200–$800+ in direct infrastructure costs, plus substantial ongoing engineering and compliance labor | 100% yours |
Heroku Shield | Enterprise-only HIPAA plan | $350 – $5,000+ | Shared |
Aptible | Automated HIPAA platform | $499+ | Infrastructure-automated |
Quantifying administrative overhead savings
Many early-stage teams report spending 30 to 40 hours per month maintaining infrastructure-related compliance controls.
Using a conservative fully loaded cost of $100–$150 per hour (based on all-in engineering or SRE compensation), that’s $3,000 to $6,000 per month in ongoing infrastructure-related compliance work. In practice, this work often falls on senior engineers or SREs, whose fully loaded costs can exceed these estimates, especially in regulated environments.
Aptible’s automated platform eliminates most of that manual work at the infrastructure layer, allowing teams to redirect expensive engineering time toward product development instead of compliance maintenance.
Customization and flexibility: cost vs compliance risk
Some hosts emphasize custom server clusters at higher prices.
Aptible delivers scalable, pre-secured dedicated stacks that balance flexibility with automated compliance, with no custom setup fees or manual risk.
Migration costs: hidden or included
Many low-cost providers charge extra for migration or setup.
Aptible includes secure migration support and onboarding in every plan, saving time and preventing compliance gaps.
Migration and implementation: a startup-friendly roadmap
*The following is an example framework, not legal advice. Actual requirements depend on your architecture, risk profile, and legal obligations.*
Here’s a practical, step-by-step template for how to launch on a HIPAA-compliant platform with minimal risk and downtime.
Step-by-step HIPAA migration checklist
Phase 0: Prep (1 to 2 weeks)
This prep phase is about clarity, not perfection. The goal is to understand what you have today so you can migrate safely without surprises.
Define scope and data inventory: identify what data you collect, where PHI enters your system, where it’s stored, and which environments (production, staging, backups, logs) may contain it.
Establish a risk assessment baseline: document your current architecture, identify obvious risks (for example, PHI in logs or overly broad access), and note what will be addressed during or after migration.
Map shared responsibility: clearly understand which security and compliance responsibilities are handled by your hosting provider and which remain your responsibility at the application and operational level.
Set success criteria: define what “done” looks like for the migration, such as PHI fully isolated in production, access controls enforced, audit logs enabled, and a signed BAA in place.
Phase 1: Environment Readiness
Provision isolated environment, configure IAM (SSO/MFA), centralize logs, and enable automated backups.
Phase 2: Test Migration
Load sanitized data, validate controls, verify BAA execution.
Phase 3: Production Cutover
Perform final backup, encrypted transfer, and staged deployment.
Phase 4: Post-Migration Hardening
Audit logs and access, update runbooks, and schedule regular risk assessments.
Roles and shared responsibility during migration
Provider (Aptible): infrastructure-level security controls including network isolation, host hardening, centralized logging, backups, intrusion detection, encryption, and infrastructure incident response.
Customer (you): application-level security controls, including authentication and authorization, PHI access logging, dependency and vulnerability management, protection of credentials and secrets, staff training, and policy management.
During migration, aligning on this division of responsibility early helps prevent common HIPAA failure modes, such as PHI leaking into logs, analytics tools, or improperly secured services.
See here for a detailed breakdown of Aptible’s security division of responsibilities.
Ongoing risk management after go live
Quarterly risk assessments and vulnerability scans (including application dependencies)
Annual incident-response and disaster-recovery drills
Regular policy reviews, access audits, and credential rotation
A better approach: built-in compliance you can prove
At Aptible, we believe HIPAA compliance should not slow you down or price you out.
Compliance should be treated as a foundational, ongoing operational responsibility from day one.
Choose a platform that takes compliance as seriously as you do.
👉 Sign up for a free trial or apply to our Startup Program to launch HIPAA-compliant apps with confidence.
