PlanetScale HIPAA Compliance: Is It HIPAA-Compliant and Will It Sign a BAA?

Enterprise Plan Features

PlanetScale’s Enterprise plan is built for regulated workloads that demand stronger enterprise data protection and compliance infrastructure. It enables a Business Associate Agreement (BAA), expands audit and security logging options, and offers private connectivity to keep database traffic off the public internet. For stricter isolation, Enterprise single-tenant and PlanetScale Managed deploy the data plane in dedicated AWS or GCP accounts.

These capabilities give you a hardened foundation for HIPAA use cases while you retain control over application-layer safeguards, access, and operational processes that map to your compliance program.

([planetscale.com](https://planetscale.com/docs/security))

Business Associate Agreement (BAA) Details

Yes—PlanetScale will sign a Business Associate Agreement with customers on the Enterprise plan or with Business support (and may offer coverage to eligible startups). You request the BAA through sales; once executed, it contractually authorizes PlanetScale to create, receive, maintain, or transmit Protected Health Information (PHI) as your Business Associate. There is no formal HIPAA “certification,” so the BAA plus your implemented controls are what make the deployment HIPAA-ready.

([planetscale.com](https://planetscale.com/blog/planetscale-and-hipaa))

Shared Compliance Responsibilities

PlanetScale follows a shared responsibility model: the platform provides secure, compliant infrastructure for storing and processing PHI, while you configure and operate your environment to meet HIPAA’s requirements. You must determine whether you are a Covered Entity or a Business Associate and implement appropriate identity, access, logging, and governance controls across your stack.

([planetscale.com](https://planetscale.com/docs/security))

HIPAA Compliance Requirements

Because the Department of Health and Human Services does not recognize a formal HIPAA certification, compliance hinges on implementing the HIPAA Security Rule’s administrative, physical, and technical safeguards and documenting how they map to your architecture. In practice, your BAA is the contractual anchor, and you demonstrate due care through access control, audit and integrity protections, and transmission security across databases, applications, and integrations.

([planetscale.com](https://planetscale.com/blog/planetscale-and-hipaa))

Protected Health Information (PHI) Handling

With an Enterprise plan and a signed BAA, PlanetScale supports PHI use cases; you remain responsible for how PHI flows through apps, services, and environments (including staging and backups). Minimize PHI wherever possible, mask identifiers in logs, restrict who can query sensitive tables, and align retention and deletion with your policies and legal holds.

([planetscale.com](https://planetscale.com/docs/security))

Security Infrastructure Provided

Core platform controls

• Encryption at rest and in transit; TLS is required for database connections.
• Optional private connectivity through AWS PrivateLink or GCP Private Service Connect to avoid the public internet.
• Enterprise-grade audit and security logs, with the ability to forward events (e.g., via EventBridge) to your SIEM.
• Independent SOC 1 Type 2 and SOC 2 Type 2 reporting aligned with the HIPAA Security Rule (available through the Trust Center).

Isolation and operational safeguards

• Enterprise single-tenant options and PlanetScale Managed place the data plane in a dedicated AWS or GCP account for stronger tenancy isolation.
• Support for fully private network isolation and customer-approval workflows for any human access to managed environments.

These features form a robust compliance infrastructure you can pair with your policies, monitoring, and evidence collection for audits.

([planetscale.com](https://planetscale.com/docs/security))

Customer Obligations for Compliance

To use PlanetScale compliantly, you must secure a BAA, classify your role (Covered Entity or Business Associate), and implement safeguards that satisfy the HIPAA Security Rule in your context. Prioritize least-privileged access, strong authentication, key and secret hygiene, logging and alerting, data minimization in non-production, and tested incident response and breach notification procedures. Document configurations, run periodic risk analyses, review access regularly, and maintain vendor due diligence to keep your HIPAA posture audit-ready.

FAQs

Does PlanetScale provide a BAA for HIPAA compliance?

Yes. PlanetScale will enter into a Business Associate Agreement with Enterprise customers (and those with Business support, with eligibility varying by program). Contact sales to initiate the process.

([planetscale.com](https://planetscale.com/blog/planetscale-and-hipaa))

What responsibilities do customers have under HIPAA when using PlanetScale?

You are responsible for configuring and operating your environment to meet HIPAA—access control, logging, data handling, workforce training, risk analysis, and incident response—while PlanetScale provides the underlying secure infrastructure and platform controls.

([planetscale.com](https://planetscale.com/docs/security))

Is PlanetScale suitable for storing Protected Health Information?

Yes—when you are on the Enterprise plan and have a signed BAA in place. Many teams also choose single-tenant or PlanetScale Managed for added isolation, then pair platform controls with their own administrative and technical safeguards.

([planetscale.com](https://planetscale.com/blog/planetscale-and-hipaa))

What plans include HIPAA-compliant services at PlanetScale?

HIPAA support is available with the Enterprise plan (and for customers with Business support). Discuss specifics—such as single-tenant or Managed deployment options and any eligibility programs—with PlanetScale during procurement.

([planetscale.com](https://planetscale.com/blog/planetscale-and-hipaa))