Looked at Heroku, which uses a Shared Responsibility model for HIPAA compliance. The quoted price struck my as ridiculous (OTOO ~$50K/year) in addition to server/worker resource costs.
For HIPAA-compliant apps using PaaS or public cloud, what'd you pick, why, and what'd it cost?
I'm working on my second company in a row dealing with healthcare compliance. Our take at present is that these PaaS products are largely a product of a time where major cloud hosting providers were difficult to use for regulated data. I'm less familiar with AWS right now, but Google Cloud will sign a BAA with very little fuss at this point (https://cloud.google.com/security/compliance/hipaa/), and that BAA covers almost the entire surface area of their product. Their environment is also SOC2/2 certified, so if you're headed down a path that either requires your own SOC2/2 or a certification like HITRUST, you'll find it to be "not the hardest part of the challenge".
These PaaS companies (Heroku in particular) probably solve a need by neatly buttoning up the answer to this question, allowing mid/large scale corporate lawyers to sign off with ease. If that is you, great! If not, talk to your lawyers and figure out whether a much more off-the-shelf approach will work for your needs.
Gavin Baker, who’s highly respected by Benchmark’s Bill Gurley, recently posted a thread about growing startup migration away from AWS to GCP/Azure. Thread here:
Wanted to start a thread of products that are SO differentiated, useful, and loved, that you'd be happy to keep paying at a much higher price point.