Ask HN: AWS or Azure for HIPAA compliant web form?

1 pointsthisisdallas7y ago2 comments

I need a basic HIPAA compliant web form for a medical office.

I'm looking at setting up a server on AWS or Azure that will host the form. I will use use an iframe to add the form the practice's website that will be hosted on a Digital Ocean droplet.

The Azure/AWS server won't store any data but it will be transferring it to a HIPAA compliant email address (office 365 email address).

I'm somewhat confused on what the best route to take is. I was thinking about building the form on a low resource vm to reduce cost as much as possible. If a simple vm server is all I need, are there any benefits to using AWS or Azure in terms of being HIPAA compliant? In other words, does either platform make it easier to be HIPAA compliant?

2 comments

SkyPuncher7y ago

Neither. There simply isn't a way to do "basic HIPAA" in either. You basically need to fully commit to being HIPAA compliant if you go directly with a service.

At Carol Health, we use a provider called Healthcare Blocks to manage a HIPAA compliant environment in AWS. They take care of most of the infrastructure compliance. While, we take care of the application side. Datica and Aptible are direct alternatives to Healthcare Blocks.

Those options would give you a more traditional hosting route. You could also use a services like True Vault. It's kind of like Stripe for HIPAA data. All of the HIPAA-sensitive data is communicated directly to TrueVault. Your server then deals with non-PHI data.

thisisdallasOP7y ago

Thanks for the help, I appreciate it.

> You basically need to fully commit to being HIPAA compliant if you go directly with a service.

Do you mind explaining that a little more? Are there specific actions that need to be taken in order to be HIPAA compliant if no data is being saved on the server?

j / k navigate · click thread line to collapse