Fastly HIPAA Compliance: Does Fastly Sign a BAA and How to Configure for PHI

Fastly's HIPAA Compliance Overview

HIPAA regulates how you protect and transmit Protected Health Information (PHI). There is no official “HIPAA certification” for a technology provider; instead, compliance is achieved through the right contracts, secure configurations, and operational controls aligned to the HIPAA Security and Privacy Rules.

When you use a content delivery network or edge platform, your architecture must prevent PHI from being cached or exposed unintentionally. With Fastly, HIPAA readiness hinges on a signed Business Associate Agreement (BAA) for any in-scope services and on careful configuration to avoid storing PHI at the edge.

Think of compliance as shared responsibility: you own data classification, request/response design, and logging choices; your provider supplies platform controls. Done well, you can meet performance goals while maintaining HIPAA-compliant caching behavior and strong security.

Business Associate Agreement (BAA) Policies

If Fastly will handle, transmit, or process PHI for your workloads, a Business Associate Agreement (BAA) is required before go‑live. A BAA typically defines which products are in scope, permitted data uses, required safeguards, breach notification, subcontractor controls, and where audit evidence will be made available.

Practical steps you should take:

• Confirm BAA scope by product (e.g., CDN delivery, WAF, edge functions, logging) and by environment (production, staging).
• Document whether any component could store PHI (edge caches, persistent cache storage, logs, metrics, support tickets).
• Ensure the BAA covers log storage and support interactions, or prohibit PHI in those channels.
• Without a signed BAA, do not send PHI through Fastly; de‑identify or tokenize data client‑side so that what traverses the edge is not PHI.

Configuring Fastly for Protected Health Information

Pre‑deployment design

• Classify endpoints and payloads: identify URLs, headers, cookies, and query parameters that could contain PHI.
• Isolate PHI traffic to a dedicated Fastly service so you can enforce stricter defaults and disable persistent cache storage.
• Adopt a “no PHI in the path or query” guideline; prefer opaque IDs or tokens that map to PHI only inside your protected backend.

Network and transport controls

• Enforce TLS 1.2+ end‑to‑end; redirect HTTP to HTTPS and add HSTS to prevent downgrade risks.
• Use strong certificates and pin origins with allowlists; enable mutual TLS to your origin when applicable.
• Apply DDoS protections and rate limiting to reduce availability risks that can affect regulated services.

HIPAA‑compliant caching patterns

• Do not cache PHI. Use Cache‑Control: no-store, private and Surrogate‑Control: no-store for PHI responses.
• Return pass for requests that may contain PHI (e.g., authenticated sessions, sensitive paths, POST/PUT/PATCH).
• Disable or avoid persistent cache storage for any service or content group that could include PHI.
• For non‑PHI assets (e.g., static UI), cache aggressively using separate hosts or distinct services to prevent co‑mingling.

Logging and observability

• Design log formats that exclude PHI by default; never log Authorization, session cookies, or full URLs with sensitive query strings.
• Send logs over TLS to a secure destination; restrict access via RBAC, SSO, and short‑lived credentials.
• Capture request IDs and change events to produce audit evidence without exposing PHI.

Access, administration, and change control

• Use SSO/SAML, MFA, and least‑privilege roles for console and API access; review access quarterly.
• Require approvals for VCL and configuration changes; maintain versioned rollbacks and release notes.
• Continuously monitor WAF rules, rate‑limit thresholds, and TLS settings; record these reviews as compliance artifacts.

Using VCL for HIPAA Compliance

Bypass caching for sensitive traffic

sub vcl_recv {
  # Pass authenticated or sensitive methods
  if (req.http.Authorization || req.method != "GET") {
    return (pass);
  }

  # Pass known PHI paths
  if (req.url ~ "^/(patient|claims|records|appointments)") {
    return (pass);
  }
}
sub vcl_backend_response {
  # Mark responses as non-cacheable for PHI routes detected at origin
  if (bereq.url ~ "^/(patient|claims|records|appointments)") {
    set beresp.ttl = 0s;
    set beresp.http.Cache-Control = "no-store, private";
    set beresp.http.Surrogate-Control = "no-store";
  }
}

Sanitize URLs for logging and remove sensitive headers from edge logs

sub vcl_recv {
  # Create a sanitized URL without query string for logging
  set req.http.X-Sanitized-URL = regsub(req.url, "\?.*$", "");
  # Never emit secrets into logs; configure log endpoints to use X-Sanitized-URL
  # and exclude Authorization, Cookie, and Set-Cookie fields.
}

Enforce HTTPS and transport security headers

sub vcl_recv {
  # Redirect plaintext to HTTPS
  if (req.http.Fastly-SSL != "1") {
    set req.http.Location = "https://" req.http.host req.url;
    error 301 "Moved Permanently";
  }
}
sub vcl_deliver {
  set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload";
  # Remove potentially sensitive or revealing headers
  unset resp.http.Server;
  unset resp.http.X-Powered-By;
}

• Treat the examples as starting points; tailor patterns to your routes and data model.
• Keep PHI out of cache keys and logs. If queries are unavoidable, ignore them in the cache key and sanitize before logging.
• Validate behavior in staging with synthetic PHI to ensure nothing is cached or logged unexpectedly.

Accessing Fastly Compliance Reports

Compliance Certifications and supporting audit evidence are typically available through your account team or customer portal after an NDA or contractual agreement. Ask for current SOC reports, ISO certificates, penetration testing summaries, and documented security program overviews. Confirm the scope aligns with the specific services you intend to use for PHI and retain these artifacts in your governance repository.

During vendor due diligence, request details on data retention, log handling, incident response, and subcontractor oversight. Map each document to your control framework so auditors can trace how the platform supports your HIPAA Security and Privacy Rules obligations.

Security and Privacy Rule Alignments

Technical safeguards

• Access control: SSO/SAML, MFA, and role‑based permissions restrict who can change edge configs and view logs.
• Audit controls: Structured, PHI‑free log formats plus request IDs and change histories produce verifiable audit evidence.
• Integrity and transmission security: TLS 1.2+ end‑to‑end, HSTS, and optional mutual TLS to origins protect data in transit.
• HIPAA‑compliant caching: No‑store directives, pass rules, and avoiding persistent cache storage prevent PHI from being saved at the edge.

Administrative safeguards

• Risk management: Classify data flows, isolate PHI services, and review configurations on a defined cadence.
• Workforce training: Instruct teams never to place PHI in URLs, headers, or tickets; use approved redaction patterns.
• Change control: Use approvals and versioned deployments; document WAF/rate‑limit updates and TLS adjustments.

Physical safeguards

• Provider data center controls are validated via third‑party assessments; retain Compliance Certifications and review renewal dates.

Conclusion

HIPAA on an edge platform is achievable when contracts are in place and PHI is never cached or exposed. Secure transport, strict pass rules, sanitized logging, and disciplined access controls form the core. Pair these configurations with a properly scoped BAA and current audit evidence to operate confidently under the Security and Privacy Rules.

FAQs

Does Fastly sign a Business Associate Agreement (BAA)?

Fastly may sign a BAA for eligible customers and specific in‑scope services. A BAA is not automatic; you must request, review, and execute it before any PHI touches the platform. Without a signed BAA, do not send PHI through Fastly.

How can Fastly be configured to handle PHI securely?

Disable caching for PHI routes, set no‑store directives, and return pass for authenticated or sensitive traffic. Enforce TLS 1.2+, add HSTS, and enable WAF and rate limiting. Sanitize logs to exclude PHI, restrict access with SSO/MFA/RBAC, and avoid persistent cache storage for services that may process PHI.

Where can I find Fastly’s HIPAA compliance reports?

Request Compliance Certifications and related audit evidence from your account team or customer portal, typically under NDA. Confirm scope for the specific products you plan to use with PHI and archive these documents for audits.

What security features does Fastly offer for HIPAA compliance?

Commonly used features include TLS termination with modern protocols, HSTS, optional mutual TLS to origins, a next‑gen WAF, DDoS protections, rate limiting, granular caching controls, detailed logging with redaction options, and administrative safeguards like SSO, MFA, and role‑based access. Configure each control to align with the Security and Privacy Rules and your BAA scope.