Single page apps and HIPAA

Does a Single Page Application (SPA) needs to reside inside Aptible to remain HIPPA compliant?

We have it hosted on our own Amazon AWS on S3 with CloudFront. Since they are pure HTML, CSS, JS files there is no need to have a full web server to deliver them.

1 Like

No, it does not.

But it does fall within your security program

This is part of what we discuss in Advanced HIPAA training, and HIPAA Security Officer training

You’ll want to include that app in your secure code development practices, perform security audits and assessments against it, etc…all of the good programmatic security management best practices.

@colby is that true even if we are proxying API requests using a reverse proxy at the app level? To solve CORS issues, we proxy all requests to /api/* from our frontends to our API server, so the data actually comes from the same domain as the app itself. However, there’s no record of the data transferred over the proxy.

My understanding is, that’s fine. But I just want to make sure.

is that true even . . .

Hey @gkaemmer can you clarify what “that” is?

Also, is the proxy running on Aptible & using SSL? If so, it sounds like this set-up is fine, yes.

Sorry, to rephrase: can we have a frontend SPA hosted outside of Aptible (using SSL) that proxies /api requests to our Aptible-hosted API server?

@colby any ideas about this? I can’t really find any resources about passing PHI through non-Aptible proxies.

Hey @gkaemmer

If PHI is passing through a proxy, that constitutes “transmitting ePHI” and if a third-party SaaS/IaaS is hosting that proxy, they’d need to have a BAA in place.