HIPAA on Render
Run HIPAA-compliant apps and store protected health information.
We’re rolling out HIPAA-enabled workspaces to select organizations.
If your organization is subject to HIPAA requirements, please reach out:
Request a HIPAA-enabled workspace
HIPAA is a United States federal law that sets standards for protecting individuals’ healthcare data. It defines administrative, physical, and technical safeguards for organizations that process or store protected health information (PHI).
For organizations subject to HIPAA requirements, Render provides HIPAA-enabled workspaces. These workspaces run services and datastores on access-restricted hosts, helping to secure any PHI processed or stored by your applications. Access to these hosts by Render staff is subject to strict controls.
A HIPAA-enabled workspace requires an Organization or Enterprise plan.
Setup process
Render works with your team to upgrade one of your existing workspaces to a HIPAA-enabled workspace.
- A member of your organization signs Render’s Business Associate Agreement (BAA).
- Render initiates the process to enable HIPAA-compliant capabilities for your workspace.
- As part of this step, Render redeploys all of your workspace’s existing services and datastores to access-restricted hosts.
- During this step, your services might become unavailable for a few minutes.
- On request, we’ll work with you to schedule a convenient time for the upgrade.
- After the process completes, Render counter-signs the BAA.
After all of these steps are complete, your workspace is ready to host HIPAA-compliant applications.
Important considerations
Before upgrading to a HIPAA-enabled workspace, note all of the following:
- Upgrading to a HIPAA-enabled workspace is an irreversible action.
- HIPAA-enabled workspaces cannot deploy or run free instances.
- Free instances run on hosts that do not support restricted access for HIPAA compliance.
- If your workspace has existing free instances, Render moves them to a paid instance type as part of the upgrade process.
- For Enterprise plans, Render upgrades one of your workspaces to a HIPAA-enabled workspace.
- You specify which workspace to upgrade in your BAA.
- Your other workspaces are not HIPAA-enabled. All HIPAA-compliant workflows must run in the HIPAA-enabled workspace.
- Even in a HIPAA-enabled workspace, you must not include PHI in certain resources.
- For details, see Where can I process and store PHI?
- A HIPAA-enabled workspace does not automatically make your applications HIPAA-compliant.
- You are responsible for adhering to HIPAA regulations for all applications in your workspace.
- For more information, see Render’s shared responsibility model.
Where can I process and store PHI?
Never process or store PHI on Render outside of a HIPAA-enabled workspace.
Not all resources in a HIPAA-enabled workspace support HIPAA-compliant processing and storing of PHI. See the following table for details:
| Resource | PHI OK? | Details |
|---|---|---|
|
Live services | ||
|
🟢 | ||
|
❌ |
Static sites consist of static assets hosted at a publicly accessible URL. Those assets must not include any PHI. | |
|
🟢 | ||
|
🟢 | ||
|
🟢 | ||
|
Service-generated logs |
❌ |
Never include PHI in any message logged by any Render service, whether at build time or runtime. |
|
🟢 |
Preview instances run on access-restricted hosts, just like their production counterparts. | |
|
Datastores | ||
|
🟢 |
All disks and their daily snapshots are encrypted at rest. | |
|
Render Postgres databases |
🟢 |
Your primary databases, read replicas, and high availability standby databases all support HIPAA-compliant workflows. |
|
Render Key Value instances |
🟢 | |
|
Builds | ||
|
Build artifacts |
❌ |
This is the bundle generated by your service’s build command. It includes application code, dependencies, static assets, and any other files needed to run your service. These generated files must not include PHI. |
|
Service configuration | ||
|
Infrastructure-as-code config |
❌ |
This includes |
|
Resource names |
❌ |
Do not include PHI in the name you assign to any resource, including:
|