Data separation: one environment per client?

I have a clarifying question about HIPAA regulations.

Currently we’re planning to separate our environments because we have multiple hospitals as clients, and we want to have one per environment, ensuring that hospitals don’t access each other’s patient data.

Can you speak to whether or not the environment separation we currently have complies with those HIPAA security regulations, or whether we would need to get multiple VPCs to comply? Thanks!

Hey @hylas,

HIPAA actually does not require you to separate data from each one of your hospital clients into separate servers/databases/networks.

It does require you to authenticate access to individual users and ensure that users only access PHI records for which they are authorized. Usually, this authentication/authorization is implemented at the web app level.

Will all of your hospital clients be accessing your services via a web application that you write/maintain, which in turn connects to a database or databases running on Aptible? Will they ever be accessing data by any other means (e.g., an SFTP server, direct database access, etc.?)

How have you implemented user management and authentication thus far? I can comment on any potential issues or considerations with the approach you’ve taken, if that would be helpful.


Well, all the clients access our services via 3 different apps we maintain, which connect to a web service running on Aptible (which connects to Aptible databases). We do not have plans for other mechanisms for them to access it at this time; if we add the ability for data dumping, we’d do a full HIPAA audit at that time. User management and authentication is implemented in the web service.