Skip to main content
Note: HIPAA compliance is only available on the Team and Enterprise plans of PowerSync Cloud.
The Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive U.S. federal law that protects the privacy and security of individuals’ health information, known as Protected Health Information (PHI) or electronic PHI (ePHI). Entities that handle ePHI must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. PowerSync serves as a Business Associate (BA) for customers (the Covered Entity or their BA) who utilize our service to synchronize healthcare-related data. As a BA, PowerSync has specific legal obligations to safeguard ePHI that passes through our synchronization service. To achieve HIPAA compliance when using PowerSync, two primary conditions must be met:
  1. The customer must execute a Business Associate Agreement (BAA) with PowerSync.
  2. The customer must use the PowerSync Service within a HIPAA-compliant configuration, e.g., using required encryption, proper access controls (MFA), a custom deployment setup, and network restrictions.
We also ensure that all our upstream vendors and sub-processors who may handle ePHI (such as cloud infrastructure providers) are covered by their own BAAs and comply with their obligations. Mandatory Bucket Storage Requirement
With a standard setup, PowerSync Cloud provides “bucket storage” (persistent database storage where sync bucket data such as operation history and metadata are stored by the PowerSync Service) as part of the cloud service. For HIPAA compliant setups, however, the customer must provide a dedicated MongoDB Atlas cluster in their own Atlas account to serve as the bucket storage database for the PowerSync Service instance(s).

Customer Responsibilities

The customer remains the owner of their application, databases, and client devices, and therefore holds critical responsibilities in the shared compliance model:
  • Business Associate Agreement (BAA)
    Customers must sign a BAA with PowerSync before storing or synchronizing any ePHI using the service. The BAA can be requested by emailing [email protected]
  • Source Database
    Customers must ensure their source database (which PowerSync connects to) is hosted in a HIPAA-compliant environment and is protected by the appropriate vendor BAAs (e.g., with AWS, Azure, or GCP).
  • Bucket Storage - MongoDB Database
    Customers must ensure their bucket storage MongoDB Atlas cluster (which PowerSync connects to) is hosted in a HIPAA-compliant environment.
  • Client Device Security
    Customers must implement all necessary administrative, physical, and technical safeguards on the client-side devices (mobile, web app). This includes device access controls, encryption of the client-side PowerSync SQLite database, and secure disposal of data when a user or device is de-provisioned.
  • Data Filtering and Access Control
    Customers must configure Sync Rules / Sync Streams to ensure only the minimum necessary ePHI is synchronized to specific client devices, and must ensure the authentication setup is correctly implemented to restrict data to the correct client devices.
  • Network Restrictions (IP Filtering, AWS Private Endpoints)
    Customers must use AWS PrivateLink where possible, or configure and restrict source database and bucket storage database access to PowerSync Cloud’s IP addresses.
  • Breach Notification
    Customers must follow their internal policies for notifying individuals and/or HHS, and reporting breaches discovered by the customer to PowerSync as required by the BAA.
  • PowerSync Dashboard Account
    Customers are in full control of their PowerSync Cloud account and are responsible for managing the users who have access to the PowerSync Dashboard. Multi-factor authentication (MFA) must be enabled for the PowerSync Dashboard.

PowerSync’s Responsibilities (as BA)

PowerSync’s core responsibility is to protect ePHI while it is in transit and temporarily processed by our synchronization service. As a Business Associate, PowerSync is directly liable for compliance with certain provisions of the HIPAA Rules and adheres to the terms of the BAA by:
  • Technical Safeguards
    Encrypting ePHI in transit (using TLS/SSL) between the customer’s databases, the PowerSync Service, and the client devices.
  • Vendor Management
    Ensuring all underlying cloud infrastructure providers (sub-BAs) that handle ePHI have executed a BAA with PowerSync.
  • Breach Reporting
    Notifying the customer immediately upon the discovery of a security incident or breach involving unsecured ePHI processed or stored by the PowerSync Service, as outlined in the BAA.
  • Infrastructure and Auditing
    Maintaining appropriate administrative and physical controls over our infrastructure, including access management, logging, monitoring, and regular third-party audits (e.g. SOC 2) to validate our security posture.

Shared Model of Responsibility

HIPAA compliance is a continuous, shared process between the customer and PowerSync (BA).
Area of ResponsibilityCustomerPowerSync (Business Associate)
Source DatabaseResponsible for the security and HIPAA status of the source database hosting.Responsible for the secure, encrypted connection to the database.
Bucket Storage DatabaseResponsible for the security and HIPAA status of the bucket storage database hosting.Responsible for the secure, encrypted connection to the database.
Synchronization ServiceResponsible for proper configuration of Sync Rules / Streams data filtering to prevent unnecessary data exposure.Responsible for securing the PowerSync Service infrastructure and ensuring data is encrypted while processed.
Client Devices (e.g., Mobile App, Web App)Wholly Responsible for securing the client-side SQLite database, applying user authentication, authorization, and data purge policies on the device.Responsible securing the client-side SDKs

Frequently Asked Questions

What is the difference between SOC 2 and HIPAA?

SOC 2 (Service Organization Control 2) is an auditing procedure that validates a company’s controls relevant to security, availability, processing integrity, confidentiality, and privacy. It is not industry-specific. HIPAA is a federal regulation specific to the U.S. healthcare industry that dictates the protection of PHI. A strong SOC 2 Type 2 report provides independent assurance that PowerSync maintains the necessary security posture to meet the administrative and technical safeguards required for a HIPAA Business Associate. Learn more.

How often is PowerSync audited?

PowerSync undergoes annual third-party audits of our security controls (e.g., SOC 2 Type 2). These audits review the controls that are foundational to our ability to fulfill HIPAA BAA requirements.

Where can I find PowerSync’s BAA?

The BAA is available upon request to customers seeking to process ePHI. Please contact [email protected] to initiate the BAA execution process. Only the Team and Enterprise plans on PowerSync Cloud are supported.

Is a HIPAA Compliance Report available?

Yes. To provide independent assurance of our security controls, PowerSync can provide a HIPAA Compliance Report to customers on the Team or Enterprise plans of PowerSync Cloud. To request a copy, please contact [email protected].