Announcing HIPAA-Compliant Cloud Hosting by Platform.sh

If you’ve worked with us before, you know we take security seriously. We take measures necessary to safeguard your sensitive and personally identifiable information and comply with a variety of compliance standards. These include maintaining best security practices and aligning with regulations such as SOC-2, PCI-DSS, and GDPR.

We have also ensured our environments and file systems are encrypted and read-only, and we continuously maintain our library of container images for each version of each service you want to run. Not only that, Platform.sh offers around-the-clock, follow-the-sun support staffed by teams of actual experts.

Now, we’re happy to introduce HIPAA to our list of compliance standards for U.S.-based projects. Why are we introducing HIPAA compliance now? HIPAA, or the Health Insurance Portability and Accountability Act, started as a way to protect personally identifiable health information, or Protected Health Information, from fraud or theft. That type of information includes an individual’s demographic data, health status, medical history, payment for health care, or any information that’s created, received, stored, or transmitted by a HIPAA-covered entity.

Why consider HIPAA cloud compliance now?

The main catalyst was requests from clients. We have had a high demand from existing customers to offer HIPAA compliance for large sites, and as the HIPAA-compliant environment in the U.S. is intensifying it made sense to meet the demand.

What does HIPAA compliance mean for my organization?

Now that Platform.sh is HIPAA-compliant, we are capable of better serving the needs of healthcare providers and any company or organization that deals with protected health information.

If you’ve been hesitant to start a partnership with us before, you can now rest easy knowing that our compliance with HIPAA regulations, along with our suite of security certifications, can help ensure the protection of your customers’ information against any reasonably anticipated threats.

Platform.sh approach to HIPAA-compliant cloud hosting

Platform.sh delivers HIPAA compliance by offering grid and dedicated project clusters on Google Cloud Platform’s HIPAA-secured infrastructure. We verify with third-party auditors that our offerings are compliant, and we follow best practices and OEM instructions for configurations.

Further, we provision each HIPAA-compliant project with a CDN and web application firewall (WAF) for improved security, and we commit to an Enterprise ticket response-time SLA.

As a part of our independent third-party audits, we have been audited on overlapping HIPAA controls. Independent third-party audits provide an external examination of the controls we have added to our infrastructure and operations and ensure our commitment to complying with information security standards and industry best practices.

Please note that there is no certification recognized by the U.S. Department of Health & Human Services for HIPAA compliance. Thus, complying with HIPAA is a shared responsibility between the customer and Platform.sh.

For more information, please visit our HIPAA security documentation. For more general security information, please visit our Trust Center.