You can now run HIPAA-compliant workloads on Modal! To get started, please sign a Business Associate Agreement (BAA) with us by reaching out to security@modal.com. Note that Modal only enters into BAAs with customers on our Enterprise plan.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law that establishes standards around protected health information (PHI). HIPAA applies to both covered entities (like a clinic or health insurance company) and business associates (which include any entities that touch PHI in the process of performing services for covered entities). For a company like Modal, HIPAA comes into play when our customers use us to handle data that is considered PHI. Most commonly this means identifiers like names, addresses, phone numbers, SSNs, etc. In these scenarios, we would be considered a Business Associate that the customer would need to sign a BAA with.

There are four primary buckets of rules in HIPAA: the Privacy Rule, the Security Rule, the Enforcement Rule, and the Breach Notification Rule. The Security Rule is particularly relevant for companies like Modal as it governs the appropriate handling of electronic PHI. This covers administrative, physical, and technical safeguards; example requirements include things like access control policies, audit trails, data encryption, and workforce security training.

Modal and HIPAA

Unlike other security standards, there is no official audit or certification process for HIPAA. We demonstrate our adherence to the standards set forth in HIPAA via the stringent security practices outlined in our guide and through official audits for standards like SOC 2.

In particular, it’s worth noting that Modal always takes a least privileged approach to your data, regardless of whether it contains PHI. We will never access or use your source code, function inputs/outputs, or anything stored in Images and Volumes. We delete all function inputs and outputs once outputs have been retrieved.

Modal has also invested significant engineering effort in implementing gVisor as our runtime for compute jobs. gVisor is Google’s open-source sandboxing technology and is far more secure than standard runtimes. It provides a strong layer of isolation between running applications and the host operating systems. gVisor allows Modal to take a defense-in-depth approach to security at the lowest levels to protect your workloads from being compromised.

Security and privacy are top priorities for Modal. We’re continuously investing in making our security position more robust, especially as we’ve gotten more inbound interest from financial services and healthcare-adjacent companies. This announcement builds on top of our SOC 2 Type 1 announcement last year. We’re also in the process of obtaining our SOC 2 Type 2 certification.

What’s in scope?

All features in Modal are within the scope of our BAA with the exception of Volumes, Mounts, and user code. PHI should not be put in those areas of the product.