Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

brucek2's avatar

Vapor for HIPAA workloads?

(HIPAA is a US Regulation requiring safeguarding of private health information)

Does anyone know if Vapor is suitable for a HIPAA compliant project? AWS itself can be (when configured correctly), so that should cover most of the hard part, but the suggested setup for Vapor is to give it administrator access to the AWS account. I'm not an expert but I'd imagine one of two things would be needed:

  1. Being able to tailor the AWS permissions granted so that storage resources can be created, scaled, and removed without actually granting any access to the content within those resources.

  2. Vapor service being willing to sign a Business Associate Agreement (a specific, standard agreement agreeing to safeguard its access).

I don't find any references to this in the docs nor do I see a sales/support contact so wasn't sure where to turn?

0 likes
3 replies
bobwurtz's avatar

@brucek2 Were you ever able to get an answer on this? I am also interested in this question. Thank you

erikgall's avatar

@brucek2 @bobwurtz - This post is a couple of months old but if you still have questions, I am happy to help answer them. I am the Lead Engineer at a Healthcare Tech SaaS company.. Long story short, we are an automated call management solution that manages doctor offices, hospitals, etc incoming phone calls after-hours and during normal business hours. Say a patient call their doctor's office after-hours in an urgent scenario our platform takes over, records parts of the call (containing PHI), we take that call, transcribe it and then notify the on-call provider.

Anyways, if you still need help, or have different questions, just let me know and I'll do my best to answer them

Jlambert's avatar

We are also looking at this question. Did anyone ever figure out whether you can do it? We'd like to use Vapor, but it's important to know the answer to this question. I know Vapor is just the product that orchestrates deployment, but it's confusing to know whether HIPAA compliance guidelines are followed. Anyone figure anything out?

Please or to participate in this conversation.