---
header: HIPAA-Compliant Caching and Delivery
lang: en
last_updated: '2018-08-01'
url: https://docs.fastly.com/products/hipaa-compliant-caching-and-delivery
---

You can configure the Fastly CDN service to cache and transmit protected health information (PHI) in keeping with Health Information Portability and Accountability Act (HIPAA) security requirements. Use the following features to ensure secure handling of cache data that contains PHI:

- Configure [frontend](https://docs.fastly.com/products/tls-service-options) and [backend](https://www.fastly.com/documentation/guides/getting-started/hosts/working-with-hosts) TLS to encrypt transmitted data from your origin to your end users.

- Add the [`beresp.hipaa` variable](https://www.fastly.com/documentation/reference/vcl/variables/backend-response/beresp-hipaa/) to objects containing PHI to keep that data out of non-volatile disk storage at the edge.

Contact [sales@fastly.com](mailto:sales@fastly.com) for more information on how to enable the `beresp.hipaa` feature for your account. For accounts that have this feature enabled, Fastly will enter into a HIPAA business associate agreement (BAA) as an addendum to our [terms of service](https://www.fastly.com/terms).

> **IMPORTANT:** If you have purchased Fastly’s [PCI-compliant caching](https://docs.fastly.com/products/pci-compliant-caching-and-delivery) or HIPAA-compliant caching products Fastly will enforce a minimum version of TLS 1.2 or higher for all connections to meet the compliance requirements mandated by the [PCI Security Standards Council](https://www.pcisecuritystandards.org/).

> **NOTE:** Fastly's security and technology compliance program includes safeguards for the entire Fastly CDN service, independent of using the `beresp.hipaa` variable. The Fastly [security program](https://docs.fastly.com/products/security-program) and [technology compliance](https://www.fastly.com/trust/faq) content provide more information about these safeguards.