Just trying to figure out where to host an app. I have a healthcare app but it is subject to HIPAA compliance standards. Not sure if DigitalOcean can handle this yet. Thanks.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
I had asked the same question, and here is what I got back…
Hello,
Thank you for your question. All of our datacenters have been certified by national and/or international security standards.
Please let us know if we can provide any additional information.
Thank you. DigitalOcean Support
Hi @devin774507,
Digital Ocean may adhere to some of HIPAA’s technical guidelines, but probably not hit all of them. I could be wrong though. Ultimately, signing a BAA with them is what’s important, and if they won’t sign, you’re out of luck.
If you are an application developer, you will have many other concerns to worry about that DO does not address at all. At a high level, they are:
As a disclaimer, I’m a designer at Catalyze, which is a platform as a service (think Heroku) that is built entirely from the ground up to be HIPAA compliant. What we provide might be what you are looking for if HIPAA compliance is a concern of yours. I’d be happy to chat if you have any questions; you can reach me at kris@catalyze.io
One major value of someone like Catalyze is you only have to sign one BAA and you can trust that everything is covered for compliance. Going from managing a dozen BAAs to just one is quite nice :).
Something we recently built was this handy self assessment checklist. If you have a few minutes, you might want to walk through it and either answer for yourself or for the vendor you’re currently using. You will likely get a better understanding of the high level things it takes for compliance:
https://catalyze.io/hipaa-self-assessment-checklist/
Lastly, for anyone reading this, we recently open sourced our internal company policies. If you’re a digital health company and are handling PHI, you need your own set. Feel free to use ours to get started.
https://catalyzeio.github.io/policies
@bruins.nicholas,
Quick note - just signing a BAA with a vendor does not necessarily make someone fully HIPAA compliant. There are so many requirements for compliance, that generally you’ll need many BAA’s with vendors who do different things. Even if DO did sign a BAA, they wouldn’t necessarily cover everything you’d need in it for full compliance.
As I understand it, DO doesn’t sign agreements. They won’t sign a BAA towards HIPAA and they won’t sign anything towards PCI either. I believe that DO has the security in place, they just won’t sign the agreements. Joyent is in the same situation.
AWS is fine and they sign BAA’s, which is great. Azure, Rackspace and Google do too. Our app is still hosted on AWS.
We were looking to switch to DO because the price to performance ratio is significantly better on DO than on AWS (for our application).