Is Render HIPAA Compliant? BAAs, PHI Handling, and Security Explained

HIPAA Compliance on Render

Yes—Render offers HIPAA-enabled workspaces designed to run HIPAA-compliant applications and store protected health information (PHI). These workspaces place your services and datastores on access-restricted hosts and pair platform safeguards with your own administrative and application controls.

Compliance on Render follows a shared-responsibility approach. Render Compliance Controls address the underlying platform, while you implement application-layer safeguards and governance to fully meet HIPAA requirements.

At a glance

• HIPAA eligibility is available on Scale and Enterprise workspace plans.
• Self-serve Business Associate Agreement (BAA) signing enables HIPAA features for a designated workspace.
• Services and datastores run on access-restricted hosts with strict staff access controls.
• Encryption, audit logging, and role-based access underpin PHI protection at the platform level.

Enabling HIPAA on Render

Prerequisites

• Use a Scale or Enterprise plan and be a workspace admin.
• Decide which workspace will be HIPAA-enabled; only that workspace may handle PHI.
• Plan for a brief redeploy window during enablement.

Step-by-step enablement flow

1. In Workspace Settings, open the Compliance section and select Get Started.
2. Review the enablement details and request the Business Associate Agreement.
3. Sign the BAA from the link sent via email.
4. Return to Workspace Settings; your HIPAA status shows Pending after the BAA is signed.
5. Select Enable HIPAA to begin; if you don’t start manually, Render begins the process automatically 72 hours after BAA signing.
6. Render redeploys your services and datastores onto access-restricted hosts; brief unavailability may occur.
7. When complete, your HIPAA status updates to Enabled and you’ll receive a confirmation email.

Understanding the Business Associate Agreement

The Business Associate Agreement formalizes Render’s role as a business associate and defines how PHI may be used, disclosed, protected, and returned or destroyed. You must have a signed BAA before enabling HIPAA features and handling PHI on the platform.

What the BAA generally covers

• Permitted and required uses and disclosures of PHI.
• Security Rule safeguards, including technical, administrative, and physical controls.
• Breach and incident reporting obligations and timelines.
• Subcontractor flow-down of equivalent protections.
• Support for access, amendments, and accountings as applicable.
• Return or destruction of PHI upon termination, where feasible, and termination rights for material breach.

How it works on Render

• You request and sign the BAA directly from the dashboard—no lengthy sales cycle.
• The BAA designates a single workspace for HIPAA enablement; keep PHI in that workspace only.
• After signature, you complete enablement to migrate services to access-restricted hosts.

PHI Handling and Security Measures

Render Compliance Controls for PHI

• PHI Encryption at Rest: Managed databases, persistent disks, and their snapshots are encrypted at rest; database systems use at least AES-128 for stored data and backups.
• TLS Encryption in Transit: TLS Encryption in Transit is enforced for all services; HTTP automatically redirects to HTTPS, and certificates are fully managed.
• Access-Restricted Hosts: Enabling HIPAA moves your workloads to hosts with restricted, audited access controls and hardened operational policies.
• Identity and access: Role-based access control, SSO/SCIM (Scale and Enterprise), and audit logs help you enforce least-privilege access.
• Resilience: Point-in-time recovery and multi‑AZ replication options support data integrity and recovery objectives.

Where PHI is and is not allowed

• Allowed: HIPAA-enabled workspace services on access-restricted hosts, persistent disks, and managed databases (for runtime data and backups).
• Not allowed: Static sites, service-generated logs, build artifacts, infrastructure-as-code configs (e.g., render.yaml, Terraform), and resource names (including environment variable names and secret filenames). Avoid placing any PHI in these locations.
• Previews: Preview environments run on access-restricted hosts; still avoid logging PHI.

Operational best practices

• Apply minimum necessary access, enforce multifactor authentication, and review roles regularly.
• Harden secrets management and rotate credentials; never include PHI in logs or metrics.
• Tokenize or encrypt sensitive fields at the app layer and set conservative log retention.
• Document incident response, backup testing, and audit procedures to demonstrate governance.

Important Considerations for HIPAA Workspaces

HIPAA-Enabled Workspace Fees

As of April 23, 2026, HIPAA-enabled workspaces on Scale and Enterprise plans no longer have a monthly minimum fee. Instead, a 20% compute premium applies to enabled workspaces. Factor this into your total cost of ownership alongside standard compute, storage, and bandwidth charges.

• Irreversible upgrade: You cannot downgrade or revert a HIPAA-enabled workspace.
• Workspace scope: The BAA designates one HIPAA-enabled workspace; other workspaces remain non‑HIPAA.
• No free instances: Free instances are not supported; existing free services are migrated to paid instance types during enablement.
• Regions: All supported regions are available except Singapore for HIPAA-enabled workloads.
• Deployment impact: Enablement triggers controlled redeploys; plan for a short maintenance window.

Conclusion

Render makes HIPAA compliance practical by combining access-restricted hosts, encryption, and governance features with a self-serve BAA. Use HIPAA-enabled workspaces for PHI, keep PHI out of logs and static assets, and pair Render’s platform controls with your own policies to satisfy the HIPAA Security Rule.

FAQs

What steps are required to enable HIPAA compliance on Render?

From Workspace Settings, open Compliance and select Get Started to request the BAA. Sign the BAA from the email link, return to Settings, and then click Enable HIPAA (or wait for automatic enablement after 72 hours). Render redeploys your services onto access-restricted hosts and confirms when the process completes.

How does Render secure PHI in HIPAA-enabled workspaces?

Render enforces TLS Encryption in Transit, provides PHI Encryption at Rest for databases and disks, runs workloads on access-restricted hosts, and supports RBAC, SSO/SCIM, audit logs, and resilient backups. You add application-layer controls like user authorization, PHI redaction, and tokenization.

What are the fees associated with using Render for HIPAA compliance?

HIPAA-enabled workspaces require a Scale or Enterprise plan. A 20% compute premium applies to enabled workspaces, and there is no monthly minimum fee as of April 23, 2026. Free instance types are not available in HIPAA-enabled workspaces.

Can HIPAA-enabled workspaces be downgraded or reverted?

No. Upgrading a workspace to HIPAA is irreversible. If you need a non‑HIPAA environment later, create a separate workspace and keep PHI entirely within the HIPAA-enabled workspace designated in your Business Associate Agreement.