Is Fastly HIPAA Compliant? BAAs, PHI Handling, and Security Explained

HIPAA Compliance Overview for Fastly

Fastly can support HIPAA-aligned deployments when you pair its platform features with the right contracts, rigorous configuration, and disciplined operations. Compliance is an outcome of your program, not a switch a vendor flips. You must ensure a signed Business Associate Agreement (BAA) and apply controls that reflect your risk analysis.

Under the HIPAA Security Rule and the HIPAA Privacy Rule, Protected Health Information (PHI) is any individually identifiable health data tied to health status, care, or payment. When PHI traverses a content delivery network, you must enforce encryption, limit data exposure, and prevent unintended storage or reuse of PHI at the edge.

Treat the CDN as a transient conduit for sensitive traffic. Keep PHI out of URLs, headers, and cookies whenever possible, minimize what reaches the edge, and implement audit controls that record access events without capturing PHI values.

Configuring Fastly for PHI Protection

Core compliance configuration

• Encrypt every hop in transit. Enforce TLS 1.2/1.3, strong ciphers, and HSTS to align with your organization’s Data Encryption Standards. Use mutual TLS for origin connections where feasible.
• Segment traffic. Use dedicated services, hostnames, and routes for PHI-bearing requests so you can apply tighter policies and simpler reviews.
• Bypass caching for PHI. Set Cache-Control: no-store, private and a TTL of 0 for authenticated or personalized responses. Use Surrogate-Control to prevent CDN storage and treat any request with Authorization headers or sensitive cookies as non-cacheable.
• Sanitize logs. Never log request bodies, full query strings, or identifiers that can reconstruct PHI. Redact or hash sensitive fields before log streaming, restrict log access, and define retention aligned to your audit controls.
• Protect ingress. Enable and tune a WAF, apply IP allowlists where practical, add rate limiting and bot mitigation, and block risky methods or oversized payloads.
• Validate sessions at the edge. Verify signed tokens early and drop invalid or expired sessions before they reach your origin.
• Harden secrets and keys. Rotate certificates and API tokens, store them securely, and restrict who can deploy configuration changes that affect PHI handling.

Business Associate Agreements and Fastly

If a vendor creates, receives, maintains, or transmits PHI on your behalf, HIPAA requires a signed Business Associate Agreement (BAA) before you process PHI through the service. Ensure the BAA is executed and that your deployment uses only the services and features covered by that agreement.

What to confirm in the BAA

• Covered services and environments, including any edge compute or logging features you plan to use.
• Permitted uses and disclosures, data handling boundaries, and minimum necessary principles tied to the HIPAA Privacy Rule.
• Administrative, physical, and technical safeguards mapped to the HIPAA Security Rule.
• Breach notification timelines, cooperation duties, and incident response expectations.
• Subprocessor lists, locations, and flow-down obligations.
• Data return, deletion, and termination procedures.
• Reporting, documentation, and audit rights that support your compliance program.

Practical next steps

• Engage your account team to request a BAA aligned to your architecture, then verify which products and regions are in scope.
• Document PHI data flows, planned logs, and controls so the agreement matches real usage.
• Complete security due diligence, then execute the BAA before any PHI enters the platform.
• Maintain the executed BAA, version it with configuration changes, and review it during annual risk assessments.

Shared Responsibility Model in HIPAA Compliance

HIPAA compliance with a CDN follows a shared responsibility model. The platform secures the underlying infrastructure, while you design and operate secure workloads that meet your regulatory obligations.

What the vendor typically covers

• Global network security, DDoS-resilient edge infrastructure, and platform patching.
• Physical and environmental safeguards in data centers and backbone facilities.
• Core service availability, baseline isolation, and secure deployment pipelines for the platform itself.

What you must own

• Compliance configuration: encryption policies, cache rules, header and cookie hygiene, and request routing that prevents PHI exposure.
• Identity, access, and key management for your accounts, automation, and CI/CD.
• WAF policies, allowlists, rate limits, and business logic protections specific to your apps.
• Log design, redaction, retention, and review processes that satisfy audit controls.
• Risk analysis, user training, incident response, and vendor management across your ecosystem.

Security Controls Offered by Fastly

The platform provides controls you can assemble into a HIPAA-aligned posture when used with a BAA and sound operations. Your objective is to combine these features into a coherent control set that enforces your Data Encryption Standards and Security Rule safeguards.

• Transport security: TLS 1.2/1.3 termination at the edge, HSTS, OCSP stapling, and optional mutual TLS to origins.
• Web application security: a WAF with managed and custom rules, virtual patching for emerging threats, API protections, bot mitigation, and request size/method controls.
• Network resilience: multi-layer DDoS protections and origin shielding to reduce blast radius and improve availability.
• Access controls: IP allow/block lists, geo and ASN filters, and token or JWT validation at the edge.
• Edge compute policies: redact headers, strip query parameters, sign or verify URLs, and enforce business logic before traffic hits your origin.
• Observability and audit controls: real-time log streaming with selective fields, metrics, and alerts without storing PHI values.

Managing Data Caching with Fastly

Improper caching is the most common way PHI leaks through a CDN. Default to no caching for any endpoint that is authenticated, personalized, or may include identifiers in responses.

• Mark PHI responses as uncacheable using Cache-Control: no-store, private and set TTL=0. Use Surrogate-Control to ensure the edge never retains a copy.
• Avoid embedding PHI in URLs, query strings, or cache keys. Prefer POST bodies for sensitive submissions and strip sensitive headers at the edge.
• Treat any request with Authorization headers or session cookies as non-cacheable. Do not rely on cookie-based variation to protect PHI.
• Use signed URLs or cookies only for static assets that never contain PHI. Reserve stale-while-revalidate and similar directives for non-sensitive content.
• Label content with Surrogate-Key groups so you can instantly purge anything published by mistake.
• Continuously test cache behavior in staging with synthetic PHI to confirm no content is stored or served from cache.

Customer Responsibilities for HIPAA Compliance

• Perform and document a HIPAA risk analysis covering edge data flows, logs, and failure modes; drive remediations into your backlog.
• Apply data minimization. Remove PHI from URLs and headers, tokenize identifiers when feasible, and restrict who can deploy configuration.
• Enforce Data Encryption Standards end to end and rotate certificates and secrets on a defined schedule.
• Design logs to support audit controls without capturing PHI. Define retention, access reviews, and alerting for anomalous events.
• Harden origins and APIs, adopt secure SDLC practices, and regularly test WAF and rate-limit efficacy.
• Execute and maintain a BAA with the vendor and with any downstream subprocessors that may receive streamed logs or metrics.
• Train workforce members, run incident response exercises, and document change management for all compliance configuration updates.

Conclusion

You can use Fastly within a HIPAA-aligned architecture by executing a BAA, preventing PHI from being cached, enforcing strong encryption, tuning edge security controls, and operating rigorous logging and audit controls. Compliance remains a shared responsibility: the platform secures the network, while you design, configure, and verify safeguards that satisfy the HIPAA Security Rule and Privacy Rule.

FAQs.

Does Fastly sign Business Associate Agreements (BAAs)?

If your use case involves PHI, you must secure a signed Business Associate Agreement with the vendor before onboarding data. Contact your account team to confirm BAA availability for your plan, which services are covered, and any configuration prerequisites. Do not transmit PHI until the BAA is fully executed.

How can customers configure Fastly to protect PHI?

Encrypt all traffic with TLS 1.2/1.3, segregate PHI routes, and treat authenticated or personalized responses as non-cacheable using Cache-Control: no-store, private and TTL=0. Sanitize logs to exclude PHI, enforce WAF rules and rate limits, validate tokens at the edge, and document these settings as part of your compliance configuration and audit controls.

What security measures does Fastly provide for HIPAA compliance?

The platform offers transport encryption, WAF and bot defenses, DDoS mitigation, access controls, edge compute for redaction and token checks, and real-time log streaming. Combined with a BAA and careful setup, these capabilities help you implement safeguards required by the HIPAA Security Rule without storing PHI at the edge.

Who is responsible for HIPAA compliance when using Fastly?

Compliance is shared. The vendor secures the global network and core platform, while you are responsible for architecture, encryption choices, cache and logging policies, WAF tuning, user access, incident response, and verifying that PHI handling aligns with the HIPAA Privacy Rule and Security Rule.