My app requires HIPAA compliance, and as far as I can tell so far, I don’t seem to be able to quite get it yet with Galaxy.
If I have to go to AWS, what’s the easiest to start with, for a developer with not-zero, but also not-mega devops chops – PhusionPassenger, MUP, other?
Looking at the docs… mup looks very easy!
It’s not only easy, but also reliable and well maintained.
What exactly is not covered by Galaxy? They are running on AWS anyway and if a specific requirement is not supported I think you might just send them a message and ask for it.
I have the same question. I emailed asking if they are HIPAA-compliant but the response seemed to be, that it was up to me to determine if they were – and I have no idea how to do that.
I found this forum post from March of last year:
Yes that’s correct. If MDG wanted to, supporting HIPAA wouldn’t be that big of a stretch from where they currently are. Most of the compliance requirements they’d need to address would be around log files, encrypted data at rest, training internal staff, and insurance policies. But it would introduce a lot of liability exposure. So we’re not holding our breath.
maybe @awatson1978 can help out here? I think she has some background in Meteor + clinical compliance.
Good news - I spoke to an awesome law firm today and was told there is no reason to switch from Galaxy to AWS for HIPAA reasons. They said the public statement by AWS that they are HIPAA-compliant is not terribly meaningful for legal purposes, as their user agreement specifies that they have a shared responsibility with the user to ensure HIPAA compliance, and in fact AWS only handles about 10% of it. Per this lawyer, it’s primarily up to the user to ensure HIPAA compliance, and that can be done equally well on Galaxy. @awatson1978, does this sound like a reasonable direction, given your experience with HIPAA?
Yeah, that’s a good summary and my general take on the state of HIPAA compliance also. Like, you can’t ask either Galaxy or AWS to be HIPAA compliant for you.
Mostly what AWS does with its HIPAA Tier is it rules out various services which are specifically known NOT to be compliant. The big example historically was Elastic Beanstalk, which will install containers from different vendors on the same server; which could be a problem if there were ever a configuration hiccup. So they don’t even offer it; and they assume that any org in the HIPAA Tier will want to manage their own servers.
Mostly, an org that wants to use Galaxy to host a HIPAA compliant app needs to treat it’s liabilities as ending with FCC laws around wiretapping. For HIPAA purposes, basically just treat Galaxy as a snazzy telco infrastructure provider.
You’ll still need to implement user accounts, audit logs, encrypted data on the wire and on disk, policies and procedures, etc. All of which is the far more difficult lift.