There's a recent startup out of YC which seems interesting called Truevault.com, which allows you to store JSON documents in their database via an API and is HIPAA compliant.
I am working on a healthcare app, and am wondering which is a better strategy in terms of HIPAA compliance:
1) Heroku + Truevault - easier deployment initially but Heroku won't sign Business Associate Agreement, so not sure if this is truly HIPAA complicant even if I don't store PHI on the heroku server or temporarily store it there.
2) Run everything on Amazon EC2 - Amazon will sign BAA so no issue here, but will have to do server maintenance myself (rather not)
3) Heroku + Amazon S3 database - run server on Heroku but store everything on S3, Amazon to sign BAA
Anyone with experience what would be most compliant yet practical? Thanks in advance.
Without knowing specifics about how your application works, its likely that you will have to run all of your application on EC2 and other amazon web services.
Heroku nodes are basically EC2 instances with a bit of automation on top, turning it more of a platform than infrastructure. However, if you are working in a field that requires legal compliance on how your data is handled, not having full control may be a bad thing. You can do much of the automation heroku does with tools like Chef and Puppet.
Also, if you do use EC2, make sure your infrastructure is configured in VPC is the way to go. Ads a bit of extra work, but gives you more control over network access to different instances.
S3 is not really a database, its an object store. Its basically a key/value store with keys that look like file paths. And it can store some very very large values.