HIPAA Compliance - Meteor Galaxy

Is it possible to set up a HIPAA Compliant Instance and DB on Meteor’s Galaxy?

@arjunrajjain Galaxy doesn’t support HIPAA compliant app deployments today. We’ve received occasional inquiries about this capability and are aware of some of the requirements (although they do vary from customer to customer). Since Galaxy doesn’t include database hosting, you should be able to find HIPAA-compliant hosting via providers like Compose, Atlas, or MLab.

Unfortunately, mLab has specifically stated that they aren’t HIPAA compliant at this time. :confused:

@arjunrajjain - You may want to check out the following whitepaper: Clinical Meteor - HIPAA Scale Out Strategy. The HIPAA compliant PaaS providers that we’ve repeatedly seen/heard people having success with include:

  • Modulus.io - the most experience doing HIPAA compliant Meteor apps
  • Aptible.com - the least expensive, starting around $1000/month
  • Catalyze.io - the most HIPAA experience, some Meteor experience; mostly Node experience

Things are changing a bit as Meteor is aligning with the broader Node community; and some of the HIPAA compliant Node providers are beginning to pick up Meteor deployments.


Thank you so much for the advice @awatson1978 and @marktrang!

We are working on getting HIPAA compliance on an application we have started work on. I am wondering if the list of database providers above is still accurate, or are there any newer providers that offer comparable or better plans than the ones listed above?


There’s been some evolution, but it’s mostly the same.

Modulus is now rebranded as Xervo.io. Their infrastructure has been evolving towards specializing in laboratory or departmental on-site installations.

Whereas Aptible has been evolving towards SaaS solutions and consumer oriented hosting.

One solution not listed above, but which I keep running into is running directly on AWS itself. Requires being comfortable setting up your own servers, managing your own SSL certs, setting up your own database cluster, etc. But probably 20% to 30% or more of the companies I’ve consulted with have been running directly on AWS.

I was reading an article on hipaa compliant hosting and found this:

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

To me, this reads as if you could almost use Galaxy for hipaa compliant applications if Galaxy would sign a BAA with you? On first glance it seems Galaxy, which is just AWS under the hood, meets most/all of the other requirements?

Yes that’s correct. If MDG wanted to, supporting HIPAA wouldn’t be that big of a stretch from where they currently are. Most of the compliance requirements they’d need to address would be around log files, encrypted data at rest, training internal staff, and insurance policies. But it would introduce a lot of liability exposure. So we’re not holding our breath.

What’s WAY more interesting right now, is that the Office of the National Coordinatir (ONC) published an 800 page rule a few weeks ago regarding the 21st Centure Cures Act. This rule interprets the Fast Healthcare Interoperability Resource (FHIR) standard as complying with the 21st Century Cures interoperability and anti-datablocking mandates.


What does this mean for Meteor, Clinical Meteor, and Galaxy? Well, it means that Patients now have a legal right to request their medical records from EHRs via API access. It means that Clinical Meteor is one of the few 21st Century Cures compliant web frameworks in existence. It means that patient hosted apps that are 21st Century Compliant aren’t obligated by HIPAA if Physians aren’t the primary users of the app.

Put all that together, and there’s a small legal loophole where patient advocacy groups could run apps on Galaxy using a 21st Century Cures waiver to the HIPAA compliance requirements.