Does Digital Ocean Provide BAA Certificates For HIPAA Compliance?

September 13, 2017 2.4k views
DigitalOcean Ubuntu 16.04

I am developing a Health care app and it is already in production using Digital Ocean servers. I'm planning to get my app in compliance with HIPAA. I can see DO is already supporting some of the services like droplet backups and private IPs.

I need to get BAA certificate for hosting services. Does DO provide the same?

1 comment
3 Answers

The article posted above seems dated. Is there any update on BAA from DO? AWS has some great detail and has a standard agreement and info. I imagine DO has this somewhere but can't find it.

  • It would be nice to know as well. Of course its probably worth noting that having a VPC (virtual private cloud) would be handy, that way your web application servers are protected from direct server access. So you have your load balancer and bastion host in the public network, and you would ssh into the bastion host to get to your web app layers, those are connected to a database with information encrypted at REST..

    We currently run in AWS, its not extra cost to have a BAA with them, its just that their system is so super complicated to set up and run unless you have a AWS master.

    Digital Ocean any updates?

    • Hey folks, a quick edit from Josh Feinblum (CSO over here at DO). I have a post below as well, but we've been signing BAA's for some time, and are happy to chat with anyone that wants to build apps that store, process, or transmit PHI across the DO platform.


      The short answer is no, and the reason why we ended up moving our operations elsewhere, sadly. Here's the email I got back from support regarding this issue:

      DigitalOcean Support
      Wed, Jul 11, 2018


      DigitalOcean is very interested HIPAA and has been exploring the requirements to become compliant. As of right now, we are not HIPAA compliant and unfortunately, we don't have a public ETA I can share with you. If DigitalOcean is still useful for segments of your infrastructure needs, we're happy to answer any additional questions you have about our platform, but at this time cannot provide a BAA for this purpose.

      If there is anything else we can help with please don't hesitate to let us know!

      Kind Regards,

      DigitalOcean Support

      edited by JoshF

A quick update on this question:

We will sign Business Associate Agreements, and certainly believe we fulfill all of the obligations under the Security and Privacy Rules (and well beyond).

Have another answer? Share your knowledge.