Skip to main content

Setting up HIPAA-compliant ngrok services

The Health Insurance Portability and Accountability Act (HIPAA) is the US federal law enacted to protect patient health information. The law sets stringent standards in order to secure electronic protected health information (ePHI/PHI).

This page contains ngrok's recommendations for setting up ngrok services in a HIPAA-compliant manner.

warning

These recommendations from ngrok's team do not constitute legal advice. Please consult your own legal and engineering teams to ensure HIPAA compliance.

Shared responsibility model

ngrok operates with a shared responsibility model. There are many safeguards that we put in place to protect our customers, and there are steps our customers must take to remain compliant with HIPAA.

We're responsible for providing you, the customer, with all the information you need to use ngrok in a compliant manner, and how to configure the ngrok platform to remain compliant. You are responsible for ensuring your use case is compliant and configuring ngrok correctly to ensure compliance.

Compliant use cases

ngrok is HIPAA-compliant for use cases where PHI is stored within a packet payload. You are responsible for ensuring that PHI is only present within the packet payload. ngrok won't store this data in HIPAA workloads but we do store other, non-PHI, data. See Data at ngrok for more details on what data ngrok stores.

ngrok account user information, ngrok account billing information, and packet headers should not be considered PHI within any use cases.

Customer safeguards

These are ngrok's recommendations for setting up and configuring your ngrok account securely:

  • Ensure packet payloads are the only PHI data being sent over the ngrok network
    • Don't put PHI in JWT tokens
    • Don't put PHI in packet headers
    • Don't put PHI in URL parameters
  • Ensure the ngrok agent is on a secure machine. The agent-local inspector may have ePHI.
  • Ensure that any traffic forwarded from the ngrok agent through your network is secure.
  • Use managed certificates. ngrok will automatically provision and renew on your behalf.
  • Verify webhooks to ensure the authenticity of incoming requests

See our guide on security quick wins for information on how to set up authentication, authorization, encryption, auth tokens, logging, and related features in a secure manner.

Get started

Reach out to sales@ngrok.com to learn more about HIPAA workloads on ngrok and signing a Business Associate Agreement (BAA).