HIPAA Audit Readiness — Stratum Platform

← Back to Platform Architecture

HIPAA Audit Readiness — Stratum Platform

Last Updated: 2026-04-16 Status: Phase 1 Complete (Infrastructure + BAA), Pre-Production Closeout In Progress Version: 1.1
2026-04-16 Architecture Decision: Option B3 (Cold Compute, Warm Substrate)

After verifying that App Runner had been frozen at a March image with stale RDS data while Fly.io served all real production traffic, the dual-stack was resolved by tearing down AWS App Runner + RDS and keeping the audit/data substrate. The CloudFormation template, BAA, S3 (PHI + audit), KMS, CloudTrail, GuardDuty, IAM, and ECR all remain ACTIVE. App Runner can be re-spun within ~2 hours from CloudFormation when an enterprise customer requires AWS hosting — see compliance/aws-app-runner-reactivation.md.

What's live in AWS now: S3 PHI buckets (KMS-encrypted, TLS-only, public-blocked, versioned), CloudTrail multi-region trail with log file validation, GuardDuty (S3 logs ON), BAA executed 2025-12-23 (customer-agreement-S951Sgj1601wcNeR).

What was torn down: App Runner stratum-api-production, RDS stratum-production. Final manual snapshot retained: stratum-production-final-20260416-1219. Saves ~$60–80/mo while preserving full re-activation optionality.

Outstanding before production PHI workloads land: rename phi-*-dev-* S3 buckets to production naming; if App Runner is re-activated, enable Multi-AZ on RDS at that time. Authoritative BAA record: compliance/aws-baa/aws-baa-agreement-record.json; full data-flow: compliance/aws-data-flow.md.

Executive Summary

The Stratum Platform AWS environment is configured for HIPAA-eligible workloads with comprehensive audit logging, data retention, encryption controls, and an executed Business Associate Addendum. This document describes the technical posture, with the 2026-04-16 update callout above reflecting the most current verified state.

Compliance Checklist (Phase 1 — Technical)

Encryption & Data Protection