Skip to main content
You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:
  • Signing a Business Associate Agreement (BAA) with Upstash. Email support@upstash.com to get started.
  • Marking specific databases as HIPAA databases and addressing security issues raised by the advisor.
  • Ensuring MFA is enabled on all Upstash accounts.
    • Enforce MFA as a requirement to access the organization
  • Enabling Prod Pack which provides encryption at rest and advanced security features.
  • Enabling Credential Protection to prevent storing credentials in Upstash infrastructure and limit console access requiring database credentials.
  • Configuring IP allowlist to restrict database access to authorized networks.
  • Enabling daily backups to validate recoverability and meet retention requirements.
  • Complying with encryption requirements in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
  • Ensuring that PHI is stored only within your database. Storing PHI in resource names or other locations is strictly prohibited.
  • Ensuring that PHI is stored only in values of data structures, not in identifiers or keys. Avoid logging keys anywhere.
  • Not using public endpoints to process PHI.
  • Not transferring databases to a non-HIPAA organization.
For a comprehensive guide on implementing these responsibilities in production, see our Production Checklist. For questions about managing healthcare data, contact our support team at support@upstash.com.