Which PaaS is good for HIPAA compliance? What's the cost?

Looked at Heroku, which uses a Shared Responsibility model for HIPAA compliance. The quoted price struck my as ridiculous (OTOO ~$50K/year) in addition to server/worker resource costs.

For HIPAA-compliant apps using PaaS or public cloud, what'd you pick, why, and what'd it cost?

#Heroku #Amazon AWS #Cloud Computing
gotwalt's avatar
9 months ago
I am not a lawyer

I'm working on my second company in a row dealing with healthcare compliance. Our take at present is that these PaaS products are largely a product of a time where major cloud hosting providers were difficult to use for regulated data. I'm less familiar with AWS right now, but Google Cloud will sign a BAA with very little fuss at this point (, and that BAA covers almost the entire surface area of their product. Their environment is also SOC2/2 certified, so if you're headed down a path that either requires your own SOC2/2 or a certification like HITRUST, you'll find it to be "not the hardest part of the challenge".

These PaaS companies (Heroku in particular) probably solve a need by neatly buttoning up the answer to this question, allowing mid/large scale corporate lawyers to sign off with ease. If that is you, great! If not, talk to your lawyers and figure out whether a much more off-the-shelf approach will work for your needs.

8 points
The community for power users.