HIPAA and BAAs on workers
Hey all - I just built out some infrastructure for a clinic management application on Cloudflare which involves:
- workers for platforms dispatching to per tenant workers
- d1 and r2 per tenant worker
After I built this out I realise Cloudflare only signs BAAs for enterprise customers.
I have reached out to support/sales about this but still waiting to hear back.
In the meantime I’m wondering if these services will even be covered under a BAA - particularly CF workers and D1
Keen to get some info as if it can’t be covered it looks like I’ll unfortunately have to start looking at other providers but I REALLY LOVE Cloudflare and want to stay
Anyone got any info or experience with BAAs and HIPAA with the Cloudflare developer platform?
2 Replies
Hey! You’re absolutely right to check on this before going further — Cloudflare’s current stance is that they only sign Business Associate Agreements (BAAs) with Enterprise customers. That’s the key requirement if you’re handling PHI under HIPAA.
As for specific services:
Cloudflare Workers and D1 are not currently listed among the services that are explicitly covered under their BAA (as of now, most BAAs cover things like CDN, WAF, Access, and Zero Trust features).
R2 storage might eventually qualify, but as of now, Cloudflare hasn’t officially declared it HIPAA-eligible.
So if you’re dealing with PHI or any data that falls under HIPAA, you’ll need to confirm directly with Cloudflare sales/legal before going to production. If you can’t get a BAA for the stack you’re using, unfortunately you’d need to look at another provider that does support HIPAA workloads (like AWS, GCP, or Azure).
That said — you could still prototype and test your architecture on Cloudflare, then migrate the compliant version later if needed.
Hope that helps — and fingers crossed that Cloudflare expands HIPAA coverage to Workers/D1 soon, because that platform really is fantastic for multi-tenant apps like yours.
Aha that’s great info thanks Eric
I’ll chat to sales and see if there is still any possibility of making it work
It’s such a shame if not as what I have running really seems like the perfect fit for isolation between my tenants while also being high performance
My fallback option is fly.io as they do sign BAAs at a much lower cost and I can still go app per tenant. But the DX is definitely not quite the same as what I was getting on Cloudflare
Thanks - I’ll report back if I hear anything interesting from sales