Vercel supports HIPAA compliance

Vercel is committed to providing a secure and reliable platform for hosting websites and applications—across all industries. But this can be challenging with industry-specific regulations, especially for healthcare organizations and entities that process protected health information (PHI).

Today, we're excited to announce that Vercel supports compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for our enterprise customers, enabling relevant companies to leverage our Frontend Cloud while maintaining compliance with industry-specific regulations.

What does this mean for our customers?

HIPAA promotes the use of electronic health records while safeguarding the security and privacy pf PHI.

Vercel is considered a business associate for our healthcare customers, including hospitals, medical services providers, research facilities, and insurance companies, who must comply with HIPAA as "covered entities." Being a business associate—an entity that provides services to covered entities—requires Vercel to comply with certain HIPAA obligations.

Based on a customer's configuration, Vercel’s records may contain healthcare information, which could include data relevant to PHI. Any additional data captured within the platform is at the discretion of Vercel’s customers. We do not manage or review this information. We help ensure that our customers' data is stored in their systems securely and is highly available for their use per our Shared Responsibility Model.

Another way Enterprise customers can ensure interactions with their digital presence are secure, resilient, and performant is through Vercel Secure Compute. Secure Compute adds an additional layer of security to applications by placing deployments and build containers in an isolated network with dedicated IP addresses in a region of their choice and logically separated from other containers.

Having an isolated network with dedicated IP addresses provides customers more control over which resources access their network. Additionally, enabling VPC peering (AWS only) and VPN support allows customers to establish secure tunnels within their AWS infrastructure, creating fewer entry points into their networks.

How did we do this?

We wanted to bring the same level of rigor to evaluating our compliance with HIPAA that we apply to our SOC 2 Type 2, PCI DSS, and ISO 27001 frameworks. To achieve this, we underwent an independent third-party audit to ensure that we support compliance with the HIPAA Security Rule and HITECH Breach Notification Requirements.

Our evaluation involved several key steps to ensure the protection of health information:

1. Understand HIPAA requirements: We familiarized ourselves with business associate requirements to understand our obligations to covered entities for protecting PHI.
2. Conduct a risk assessment: We conducted a risk assessment to identify potential risks and vulnerabilities and understand if improvements were needed.
3. Implement administrative, physical, and technical safeguards: We updated policies and procedures, including our incident response plan, with HIPAA-specific breach notification requirements. We also implemented HIPAA-specific training for staff and reviewed our encryption, access, and backup controls to ensure the availability and integrity of PHI if stored or transmitted by Vercel.
4. Signing business associate agreements (BAAs): We sign BAAs with enterprise customers who are covered entities under HIPAA to outline each party's responsibilities for protecting PHI.
5. Conduct regular audits and monitoring: We regularly audit and monitor our systems and processes to maintain ongoing compliance with HIPAA requirements, including reviewing access logs, conducting vulnerability scans, and performing risk assessments.
6. Stay informed and up to date: We regularly monitor updates to the Security Rule, HITECH Breach Notification Requirements, and standard industry practices to keep Vercel up to date and continue to support compliance with evolving requirements.

Dedication to security and compliance

Healthcare organizations can confidently host their websites and applications on Vercel, knowing that we support compliance with HIPAA. Our successful completion of an independent HIPAA audit underscores our commitment to protecting our customers' information.

This achievement reaffirms our dedication to providing a secure and reliable platform for businesses across all industries, including healthcare. We look forward to helping healthcare organizations thrive in an increasingly digital world while ensuring the highest standards of data security and privacy.