- Signing a Business Associate Agreement (BAA) with Upstash. Email support@upstash.com to get started.
- Marking specific databases as HIPAA databases and addressing security issues raised by the advisor.
- Ensuring MFA is enabled on all Upstash accounts.
- Enforce MFA as a requirement to access the organization
- Enabling Prod Pack which provides encryption at rest and advanced security features.
- Enabling Credential Protection to prevent storing credentials in Upstash infrastructure and limit console access requiring database credentials.
- Configuring IP allowlist to restrict database access to authorized networks.
- Enabling daily backups to validate recoverability and meet retention requirements.
- Complying with encryption requirements in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
- Ensuring that PHI is stored only within your database. Storing PHI in resource names or other locations is strictly prohibited.
- Ensuring that PHI is stored only in values of data structures, not in identifiers or keys. Avoid logging keys anywhere.
- Not using public endpoints to process PHI.
- Not transferring databases to a non-HIPAA organization.
For a comprehensive guide on implementing these responsibilities in production, see our Production Checklist. For questions about managing healthcare data, contact our support team at support@upstash.com.