I am developing a healthcare application. I need to find out if Anvil signs BAA’s before I can host my application on Anvil’s servers. Haven’t found answer in docs.
Background:
If I use cloud services such as Anvil to store Protected Health Information (PHI), US regulations require that the cloud service provider sign a BAA (Business Associate Agreement). Does Anvil sign these agreements?
(PHI is a legal term for private patient information collected and stored in the US by health entities like hospitals and insurance plans. PHI privacy and security is highly regulated in the United States. Part of these regulations requires health entities to have a contract called a BAA with anyone who stores PHI for the health entity.)
I can comment on this: Anvil servers are in the UK, not in the US, so using the Anvil storage APIs you would store your information in the UK.
You could use Anvil apps with an external database hosted in the US, and you would have patient data going from a form on a browser in the US to a database hosted in the US via a server in the UK. I don’t know if this detail is against the rules. It will certainly increase latency time. My apps in the US with the Anvil database work just fine. The latency hit happens only for the client-server interaction, which can be easily optimized to 1 round trip per user action, but I have many server-database interactions per round trip that would be very difficult to optimize.
There are two more options:
With the open source server you manage the hosting part and don’t need Anvil signature
With the Enterprise plan you decide where is the server. I think the Anvil team will still manage updates and other aspects of the installation
There are production installations with the open source server that work just fine out there.
The open source server has issues that are, well, open source. Anybody deciding to try it, can see them in the repository.
You can contribute by saying what makes it not ready for production in your case, the forum is great for learning from other people’s experience, but offering your opinion as a universal fact I think it’s out of line.
Thanks to all who have replied. I am actually fairly satisfied with Anvil’s description of their security. But the fact remains, if I (or anyone) wants to use Anvil to store PHI, a BAA has to be in place, just a quirk of US law.
For example, Microsoft, Google, and Amazon all provide BAA’s for customers who store PHI on their servers.
An American medical doctor can’t even legally use Google Docs or Microsoft Word Online to do word processing which includes a patient’s name unless a BAA is in place.
Offering BAA’s is Anvil’s business decision - but Anvil cannot have customers operating in the US healthcare space without BAA’s…
Yes, Anvil knows, but Anvil’s website encouraged me to use this forum to find out the experiences of Anvil users. Just hoped I might find a user who had already dealt with this problem.
I agree that using a database either inhouse or with another cloud vendor that signs BAA’s is a viable workaround, though using Anvil’s build in cloud storage seems convenient. Why have two cloud vendors if one can meet your need?
It is a very serious bug, if if you can make it works, please let me know. Thanks so much.
Also, for production, at least 2 servers need to run at the same time for High availability. And this is not possible with the current version or dockers. I really appreciate if you could point out links to production installations.
I would have joined that thread, but it was locked. The Forum admin closed it with “HIPAA is a Spam magnet”. That is why in my original posting above I avoided “HIPAA” and talked about “BAA’s” and “PHI” instead of using the verboten “HIPAA”.
The only roadblock I see to using Anvil’s data store for storing PHI is the absence of a BAA. It isn’t a technical issue, it is simply US regulations.