Today, we are going to take another look at a recent Request for Quote that came in to our pre-sales team here at Atlantic.Net. Many HIPAA hosting conversations start with a broad question: “Do you support healthcare workloads?” This one started in a much more useful place.

The customer was launching an online service for mental health professionals. They were building the application from the ground up for HIPAA compliance and already knew one important part of the stack: they needed PostgreSQL 16 or newer with JSONB support.

Customers who know exactly what they need are really helpful early on in the pre-sales conversation. It tells us the customer has moved beyond the idea stage and they are not simply asking for “HIPAA hosting.” They want to know whether a specific application architecture can be launched, supported, backed up, and covered under a HIPAA Business Associate Agreement (BAA) before electronic protected health information, or ePHI, enters the environment.

Alongside PostgreSQL, they needed a hardened Linux instance and wanted automated backups. They needed to confirm that the database would be covered under the BAA. The customers wanted to start small and leave plenty of room to scale nationally if the platform gained the traction they were expecting.

This was an RFQ to be involved in. Join us in the article as we explain how the initial conversations grew into a HIPAA-compliant platform for one of our fantastic customers. Starting with a small environment, making sure the compliance foundation was correct, then expanding once the product and usage justified it.

Do You Offer PostgreSQL Support?

Despite being a hugely popular Database platform, you would be surprised how few managed hosting providers support it. Our customer required PostgreSQL 16 or newer with JSONB support for a HIPAA-compliant application. They also asked whether our managed services team could support installation and automated backups on a hardened Linux instance.

That question sounds simple, but it has three separate parts.

  • PostgreSQL installation was supported.
  • The application-specific database was outside the standard support scope.
  • Backups would follow the existing HIPAA hosting backup offering.

Installing PostgreSQL is an infrastructure task. A long-term database is much more application-specific. Query tuning, index design, connection pooling, vacuum strategy, partitioning, schema decisions, and performance troubleshooting all depend on how the application is built and how users interact with it over time.

The customer was delighted that Atlantic.Net could support the PostgreSQL installation, with the customer’s application team remaining responsible for the application-level database. The database itself would sit inside the HIPAA-Compliant hosting environment and follow the same backup schedule as the rest of the system.

What Are We Really Scoping?

On paper, this may seem like ‘just’ a PostgreSQL request. In practice, we were scoping the first production environment for a new healthcare SaaS platform. That meant PostgreSQL was only one piece of the plan. The customer also needed a hardened Linux instance, HIPAA-compliant hosting, a signed BAA, daily backups, encrypted backup storage, a realistic deployment window, and a clean upgrade path if the application outgrew the entry package.

These are the RFQ details that make a hosting environment usable in production. A database engine alone does not make a healthcare platform ready to launch. The goal was not to overbuild the first environment. The goal was to build the first environment on the right foundation, with enough structure to support compliance, security, recovery, and future growth.

Is a Signed BAA Available?

The BAA came up early, as it should, and the customer needed to know whether PostgreSQL would be covered under the BAA. We provided Atlantic.Net’s standard BAA for review and confirmed that changes to the document could not be considered.

That can sometimes feel restrictive from the customer side, but it is an important part of a standardized HIPAA hosting service. The BAA needs to align with the service being delivered, the controls in place, and the responsibilities Atlantic.Net can support consistently.

The sequence is straightforward:

  • The customer reviews the BAA.
  • The agreement is signed.
  • The environment is provisioned.
  • ePHI is introduced only after the proper agreement and controls are in place.

That was the right path for this customer as well.

Do you Offer Backup and Recovery?

Once the BAA position was clear, the customer asked the next practical question: Would the PostgreSQL database be on the same backup schedule as the rest of the system? In a SaaS application, the database is usually the most important recovery point. Application code can often be redeployed onto an immutable instance, and servers can be rebuilt, and configuration can be restored. But the database contains the live operational record.

We confirmed that the environment would follow the same daily backup schedule, including the PostgreSQL database. For this launch scope, the backup offering included local and off-site fully managed daily cloud backups stored on separate storage devices, with encrypted-at-rest storage. There was no separate PostgreSQL backup schedule to manage at launch. The database would be included in the same daily backup cadence as the rest of the environment.

If the customer later needed a tighter recovery point objective, that would become a separate architecture discussion. More frequent database-level backups, replication, or a more formal disaster recovery design could be considered as the platform matures. For the initial launch, daily backups answered the requirement.

What About Scalability?

The next question was just as practical: How hard would it be to upgrade from the entry package to a larger hosting package once the application started to hit performance limits? This was another good question to ask before launch, not after the customer is already under pressure.

The answer was that an upgrade would require a signed addendum aligned with the terms of the initial agreement. Once signed, the upgrade would typically take two or three days, giving the customer realistic expectations.

Scaling is available, but it would be handled as a documented service change. In a HIPAA hosting environment, that is the right approach. Resource changes, contract terms, support expectations, and service scope must all stay aligned.

For a startup, this means they can start in an entry-level environment without feeling locked in permanently. They can launch responsibly, watch real usage, and upgrade when the application justifies the additional resources.

The Deployment Timeline

The initial deployment could take up to five days from receipt of the signed agreement. A window that gives the team time to process the agreement, prepare the environment, apply the required controls, configure backups, and coordinate the handoff.

For the customer, this answered the final planning question. They knew what needed to be signed, what would be installed, what would be backed up, what was outside standard support, and how long the first deployment could take. Having this level of clarity is key before any healthcare SaaS platform goes live.

What the Customer Needed to Know

The first email was about PostgreSQL, but the real conversation was about a startup’s launch readiness. By the end of the exchange, the customer had clear answers:

  • PostgreSQL installation could be supported.
  • PostgreSQL was outside the scope of standard support.
  • The database would follow the same daily backup schedule as the rest of the environment.
  • Atlantic.Net’s standard BAA would be provided for review and signature.
  • Changes to the BAA could not be considered.
  • Initial deployment could take up to five days after the signed agreement is received.
  • Upgrades would require a signed addendum and typically take two or three days after signature.
  • Support would be U.S.-based and available 24x7x365 by phone or ticket.

That is how a good HIPAA pre-sales conversation should work. The customer came in asking whether PostgreSQL could run in a HIPAA hosting environment. We walked through the database, the BAA, the backup cadence, the support boundary, the upgrade path, and the deployment timeline. By the end, we were ready to sign and build.

Ready to launch a HIPAA-compliant SaaS environment with PostgreSQL support? Contact Atlantic.Net to discuss your hosting requirements, BAA needs, backup expectations, and upgrade path.