Enclave Features

HIPAA Compliant Hosting

Aptible Enclave® is a HIPAA compliant hosting platform that protects your customers’ PHI with industry-standard safeguards. Enclave helps you quickly and easily satisfy HIPAA requirements and succeed in audits and vendor assessments.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA defines requirements for companies that create, receive, maintain, or transmit electronic protected health information (ePHI, or PHI).

The HIPAA Security Rule states that companies must implement “reasonable and appropriate safeguards” over PHI, but identifying and implementing those exact requirements can be challenging.

Aptible Enclave implements a large number of the safeguards required by the HIPAA Security Rule, helping you to achieve HIPAA compliance. By deploying your apps and databases on Enclave, you can go to market faster and with greater confidence.

HIPAA Compliant Hosting on Enclave

How to deploy your app while meeting HIPAA Requirements

Build your app

Enclave is a framework-agnostic container hosting platform. Use it to launch a new app or migrate an existing project.

By signing up for a free Enclave Development Account, you can deploy your apps and databases while evaluating Enclave as a hosting platform.

Deploy on Enclave

When your app is ready, upgrade to a Production Account. The Enclave Production Account runs in your own Dedicated Stack, and as a result is ready to accept PHI and other regulated or sensitive data.

Pass audits

Leverage Enclave’s audit-ready security controls to demonstrate HIPAA compliance, pass customer audits, and secure industry certifications such as HITRUST. For HIPAA hosting, we’ll sign a Business Associate Agreement (BAA) together. Signing a BAA with us is a legal requirement required for hosting PHI on Enclave.

Deploy Your First App Now

Use Enclave to meet many of the requirements associated with the HIPAA Security Rule and to demonstrate HIPAA compliance to auditors and customers.

Technical Safeguards

HIPAA requires the implementation of Technical Safeguards: the technical features of your infrastructure that contribute to the protection of PHI. Enclave implements most of the Technical Safeguards that HIPAA requires, and makes it trivial to meet others.

HIPAA Requirements
Enclave® Safeguards
Technical Safeguards
Access Controls
§ 164.312(a)(1)
Enclave implements role-based access control for all backend access, including code deployments, SSH sessions, database tunnels.
Audit Controls
§ 164.312(b)
Enclave captures all logs generated by your apps, databases, and SSH sessions, and routes them to the logging destination or Security Information and Event Management system of your choice.
Integrity Controls
§ 164.312(c)(1)
Enclave backs up databases on a daily basis and on-demand. Enclave databases are configured conservatively to protect data integrity.
Transmission Security
§ 164.312(e)(1)
Enclave Managed HTTPS Endpoints deliver your app over HTTPS. Your access to backend systems (such as database tunnels, SSH sessions) is authenticated and encrypted. Enclave databases require TLS for all connections.
Learn more about all of Enclave's security and audit-readiness features in the Enclave Security Division of Responsibilities  →

Physical Safeguards

HIPAA mandates Physical Safeguards (§ 164.310) such as a Facility Security Plan, Access Control, Maintenance Records, and Contingency Operations. These requirements protect the systems hosting PHI from natural and environmental hazards or unauthorized intrusion.

Enclave is built on AWS, so applications deployed on Enclave inherit many Physical Safeguards from AWS's own physical security measures. Enclave also ensures that database backups are distributed across multiple regions, meeting Contingency Operations requirements and ensuring your data won't be lost in the event of a disaster compromising any individual data center.

Administrative Safeguards

HIPAA Administrative Safeguards (§ 164.308) prescribe the implementation of a comprehensive security management program. Among other things, HIPAA requires that you prepare contingency and incident response plans, train your workforce, and periodically assess your performance.

Enclave makes it easier to manage this security program by implementing many of HIPAA's requirements, thus minimizing the scope of your security management program.

Aptible Gridiron® provides analyses, reports, documentation, and training to help you administer your entire security management program. Learn more about Aptible Gridiron.

Beyond HIPAA: Vendor Assessments

Meeting HIPAA requirements is only the baseline you must comply with when deploying applications processing PHI. Potential partners and customers such as hospitals and insurance networks will often impose much more stringent and specific requirements upon you as part of their vendor assessments.

Managed Host-based Intrusion Detection
Your cloud infrastructure is protected at the host level with both intrusion detection monitoring and incident response. The Aptible Security Team investigates, responds to, and resolves any security incidents that are discovered via the HIDS.
Docker Image Vulnerability Scanning
Vulnerability scanning is enabled by default on all your containers, with automated scanning and real-time notifications via integration with Appcanary.
Activity Reports
Activity Reports list all operations that take place in a given Environment; these reports are posted on a weekly basis in the Aptible Dashboard.