Hacker News new | past | comments | ask | show | jobs | submit login

So I suppose this means storing data in Postgres RDS is HIPAA compliant now by default?

At a minimum, you'd still have to sign that BAA with them. I mention that not for you, but for anyone else at home thinking "oh, I can deploy RDS/PostgreSQL and be OK with HIPAA without doing anything else!" That's (still) not the case.

In logic terms, this certification is necessary but not sufficient. It's not sufficient by itself, but it is a hard requirement because RDS hasn't been covered under their BAA up until the last day or so. That is, it wasn't covered the last time I checked, maybe a week ago, but it is now today. This was confirmed by our AWS tech reps when we recently talked to them: they absolutely did not HIPAA certify PostgreSQL the last time we asked about it. And oh, how I promise you we talked about it.

In the past you could be HIPAA compliant and use Postgresql RDS by signing a business associate agreement and doing things like using dedicated instances in their own VPC.

Citation needed. We were told multiple time by our reps and solution architect that RDS+PostgreSQL was not certified in any way. The only AWS options we had for HIPAA PostgreSQL were 1) hosting our own instance (that is, not using RDS in any way, just plain old EC2) or 2) paying a third party for managed PostgreSQL hosting.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact