Aptible’s story began with a focus on serving digital health companies. As a result, the Aptible platform was designed with HIPAA compliance in mind. It automates and enforces all the necessary infrastructure security and compliance controls, ensuring the safe storage and processing of HIPAA-protected health information and more.

This guide will cover the essential steps for achieving HIPAA compliance on Aptible.

HIPAA-Compliant Production Checklist

Prerequisites: An Aptible account on the Growth Plan or higher

  1. Provision a dedicated stack

    1. Dedicated stacks live on isolated infrastructure and are designed to support deploying resources with higher requirements— such as HIPAA. Aptible automates and enforces 100% of the necessary infrastructure security and compliance controls for HIPAA compliance. This includes but is not limited to:

      1. Network Segregation (see: stacks)

      2. Platform Activity Logging (see: activity)

      3. Automated Backups & Automated Backup Testing (see: database backups)

      4. Database Encryption at Rest (see: database encryption)

      5. End-to-end Encryption in Transit (see: database encryption)

      6. DDoS Protection (see: DDoS Protection)

      7. Automatic Container Recovery (see: container recovery)

      8. Intrusion Detection (see: HIDS)

      9. Host Hardening

      10. Secure Infrastructure Access, Development, and Testing Practices

      11. 24/7 Site Reliability and Incident Response

      12. Infrastructure Penetration Tested

  2. Execute a BAA with Aptible

    1. When you request your first dedicated stack, an Aptible team member will reach out to coordinate the execution of a Business Associate Agreement (BAA).

After these steps are taken, you are ready to process PHI! 🎉

Here are some optional steps you can take:

  1. Review the controls implemented for you, enhance your security posture by implementing additional controls, and share a detailed report with your customers.

  2. Show off your compliance with a Secured by Aptible HIPAA compliance badge

  3. Set up log retention

    1. Set up long-term log retention with the use of a log drain. All Aptible log drain integrations offer BAAs.

This document serves as a guide and does not replace professional legal advice. For detailed compliance questions, it is recommended to consult with legal experts or Aptible’s support team.