Digital Ocean may adhere to some of HIPAA’s technical guidelines, but probably not hit all of them. I could be wrong though. Ultimately, signing a BAA with them is what’s important, and if they won’t sign, you’re out of luck.
If you are an application developer, you will have many other concerns to worry about that DO does not address at all. At a high level, they are:
- dedicated logging
- dedicated monitoring
- intrusion detection
- vulnerability scanning
- encryption in transit and at rest
- and a whole slew of company policies
As a disclaimer, I’m a designer at Catalyze, which is a platform as a service (think Heroku) that is built entirely from the ground up to be HIPAA compliant. What we provide might be what you are looking for if HIPAA compliance is a concern of yours. I’d be happy to chat if you have any questions; you can reach me at email@example.com
One major value of someone like Catalyze is you only have to sign one BAA and you can trust that everything is covered for compliance. Going from managing a dozen BAAs to just one is quite nice :).
Something we recently built was this handy self assessment checklist. If you have a few minutes, you might want to walk through it and either answer for yourself or for the vendor you’re currently using. You will likely get a better understanding of the high level things it takes for compliance:
Lastly, for anyone reading this, we recently open sourced our internal company policies. If you’re a digital health company and are handling PHI, you need your own set. Feel free to use ours to get started.
Quick note - just signing a BAA with a vendor does not necessarily make someone fully HIPAA compliant. There are so many requirements for compliance, that generally you’ll need many BAA’s with vendors who do different things. Even if DO did sign a BAA, they wouldn’t necessarily cover everything you’d need in it for full compliance.