Health Insurance Portability and Accountability Act (HIPAA) compliance requires businesses that handle protected health information (PHI) to adhere to set of privacy and security standards.
For healthcare customers hosting their frontend with Vercel, we provide services without having to transmit or store Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). Functionally, Vercel will not have access to or see any customer healthcare data since we terminate SSL/TLS. We do not see the requests/responses or traffic to customer databases. Unless PHI is in the source code or in some part of dynamic asset registration, Vercel will never have access to that information, and there would be no need for a BAA. If you are self-hosting a Next.js app, then there is no need for Vercel to be HIPAA compliant as you would control the environment and it would just be the use of open source.