If you have spent the last week reading conflicting Reddit threads about whether Supabase is HIPAA-compliant, the short version is yes — but only on the right plan, with the right add-on, and only after the BAA is signed. The longer version explains why most teams get this wrong on their first deploy and what your stack actually needs to look like in 2026.
Two facts changed the calculus on this in 2025: Vercel opened HIPAA BAAs to Pro teams as a $350/month add-on, and Supabase made its HIPAA add-on self-serve from the dashboard. The combined cost — $700/month for the platform layer — finally puts a defensible HIPAA-compliant Next.js + Supabase stack in reach of pre-Series-A health-tech teams. Before 2025 the same setup required Vercel Enterprise (around $45K/year median) and Supabase Enterprise (custom pricing, typically a similar tier), pricing most early-stage teams onto AWS or Azure instead.
Is Supabase HIPAA compliant in 2026?
Yes, with two conditions. First, you need to be on the Team plan ($599/month) or the Enterprise plan, plus the HIPAA add-on at $350/month. The Free and Pro plans do not support HIPAA at any price — Supabase's Pro plan ($25/month) cannot store PHI under any configuration. Second, you must have a signed Business Associate Agreement (BAA) with Supabase, executed via the dashboard for Team and Enterprise customers.
Storing PHI in a Supabase Pro project without the HIPAA add-on is a HIPAA violation regardless of how locked-down your RLS policies are. The BAA is the contractual layer that makes the technical safeguards count. No BAA, no compliance — same rule as every other vendor in your stack.
What the Supabase HIPAA add-on actually buys you at $350/month
The $350 add-on covers four things that your Pro plan does not have: a signed BAA, additional security controls (audit logging, IP allow-listing, MFA enforcement, log retention), dedicated infrastructure for compliance-sensitive workloads, and access to Supabase's compliance documentation set required for your own audits.
- Encryption at rest with AES-256, in transit with TLS 1.2+ — same as Pro, but contractually scoped under the BAA.
- Audit log retention extended to meet HIPAA's 6-year requirement for access logs touching PHI.
- Database point-in-time recovery and backups are included in scope under the BAA, so restoring from a backup does not put you outside the agreement.
- Storage buckets, Auth, Edge Functions, and Realtime are all in scope. You can use the full platform for HIPAA workloads.
- AI / Vector functionality (pgvector) is in scope, but if you embed PHI to vectors you are responsible for the encryption posture of the embeddings themselves and for any external embedding API call.
The full $700/month HIPAA stack: Vercel + Supabase + the parts you still have to build
A defensible HIPAA-compliant Next.js + Supabase stack in 2026 costs $700/month for the platform layer — $350 to Vercel for the Pro BAA add-on, $350 to Supabase for the HIPAA add-on. That price assumes you are on Vercel Pro and Supabase Team, which together cost roughly $620/month at base before the BAAs. Total floor: about $1,320/month, plus seats, plus any HIPAA-eligible third-party services.
What the platform BAAs cover
- Hosting (Vercel): Edge runtime, Functions, ISR, image optimisation, log retention. Pro BAA does NOT include Secure Compute (isolated networks, dedicated IPs, VPC peering) — that is Enterprise-only at around $45K/year median.
- Database, Auth, Storage, Realtime, Edge Functions (Supabase): all in scope under the BAA.
- DNS, CDN, build pipeline (Vercel): in scope.
What the platform BAAs do NOT cover — your responsibility
- Audit logging at the application layer — every PHI read/write needs to land in your own audit table or to an external HIPAA-eligible logger like a Supabase Edge Function writing to a separate retention-isolated bucket.
- Authentication and session management — Supabase Auth with the BAA covers the storage of credentials, but your session-handling code, your role checks, and your idle-timeout enforcement are application-layer.
- PHI in error logs — Sentry, Datadog, LogRocket, PostHog, etc. are NOT in scope unless you have their separate HIPAA tier (most do offer one, all charge extra). Sentry HIPAA tier exists at the Business plan ($80+/seat/month). Datadog HIPAA add-on requires Enterprise.
- Email — Resend, Postmark, SendGrid: each has their own HIPAA tier. Resend HIPAA support landed in 2025 on the Pro plan with a separate BAA. Verify before sending appointment reminders or any PHI in email.
- Third-party integrations — every external API that touches PHI needs its own BAA. Stripe Health, Twilio HIPAA, JotForm Gold (HIPAA at $99/month included), HubSpot Healthcare, etc.
How to ship a HIPAA-compliant Next.js + Supabase setup in 2026 — the practical sequence
1. Sign the BAAs first, before you write the schema
Set up a Vercel Pro account, add the HIPAA BAA add-on through the dashboard. Set up a Supabase Team account, request the HIPAA add-on, sign the BAA from the dashboard. Both are click-through agreements — not Enterprise sales calls — and both should be done before any PHI touches your infrastructure. If you build first and sign later, every PHI byte that landed in pre-BAA storage is a violation.
2. Design your schema with PHI isolation in mind
Separate PHI columns from non-PHI columns. RLS policies must be enforced on every PHI table, with the default policy being deny. Use pgcrypto for column-level encryption on highly sensitive fields (SSN, diagnosis codes, mental-health notes) — the BAA covers AES-256 at rest, but defence-in-depth on the most sensitive fields is what your auditor will ask about.
3. Audit logging on every PHI access
HIPAA requires you to log every read and write of PHI, and retain the logs for six years. The pattern that works in Supabase: a separate audit_log table that every PHI-touching query writes to via a trigger or an Edge Function. The audit log itself is PHI-adjacent — you store user IDs, timestamps, and patient IDs, but never the PHI content itself in the audit row. Retain the audit log on a separate retention policy from the operational database.
4. Authentication with HIPAA-eligible session handling
Supabase Auth with the HIPAA add-on is in scope under the BAA. The application-layer requirements are still on you: idle-timeout sessions (typically 15 minutes for clinical workstations, 30 minutes for patient-facing apps), MFA enforcement for clinician accounts, password rotation policies if your auditor requires them, and explicit role-based access control on every protected route. Use Next.js middleware for the session check, not just client-side guards.
5. Storage for PHI documents and images
Supabase Storage with the HIPAA add-on covers signed-URL access, encryption at rest, and BAA-scoped buckets. The application-layer pattern: bucket per tenant, RLS policy on the storage.objects table, signed URLs with short expiry (5-15 minutes for PHI documents), and never exposing public URLs to PHI even through obscurity. Audit the read/write of every signed URL into your audit_log.
6. Forms — use JotForm Gold for $99/month before you build your own
If your only PHI intake is forms, JotForm Gold at $99/month includes HIPAA at no add-on cost. Embed the form via iframe, the PHI never touches your infrastructure, and you have signed-BAA, audit-logged form storage in an afternoon. Building HIPAA-compliant forms natively in Next.js + Supabase is a 2-3 week engagement that JotForm solves for $99 monthly. Save the custom build for the parts of your product where the form alone is not enough.
Where Supabase is the wrong call for HIPAA workloads
- If your auditor requires every PHI byte to live inside your own VPC. Supabase HIPAA gives you BAA-scoped multi-tenant infrastructure; it does not give you VPC isolation. The fix is Supabase Enterprise (custom quote) with dedicated infrastructure, or Postgres self-hosted on AWS RDS or Azure under their BAA.
- If you need FedRAMP or StateRAMP coverage in addition to HIPAA. Those certifications are Azure / AWS GovCloud territory. Supabase does not have FedRAMP authorisation as of mid-2026.
- If your application requires sub-10ms read latency on a multi-region patient dataset. Supabase has read replicas, but the multi-region story is not yet at the level of CockroachDB + Vercel Edge with custom replication.
- If your team has zero Postgres operational depth and you need a fully-managed clinical database with vendor-supplied schema, FHIR APIs, and clinical decision support out of the box. That is Aidbox, Health Samurai, or Particle Health territory, not Supabase.
FAQ
How much does Vercel HIPAA BAA cost?
Vercel's HIPAA Business Associate Agreement is a $350 per month add-on on the Pro plan, signed via a self-serve click-through in the dashboard with no Enterprise contract required. SAML SSO is a separate $300 per month add-on. Combined, a typical compliance setup on Vercel Pro runs $650 per month before seat costs. Enterprise (around $45,000 per year median) bundles BAA, SSO, and Secure Compute together.
Is Supabase HIPAA compliant?
Yes, on the Team plan ($599 per month) or Enterprise plan, plus the $350 per month HIPAA add-on, with a signed Business Associate Agreement executed via the dashboard. Supabase Free and Pro plans do not support HIPAA at any configuration. Storing PHI in a Supabase Pro project without the HIPAA add-on is a HIPAA violation regardless of how locked-down your row-level security policies are.
Is the Supabase Pro plan HIPAA compliant?
No. Supabase Pro at $25/month does not support HIPAA at any configuration, and Supabase will not sign a BAA on the Pro plan. To store PHI on Supabase you need to be on the Team plan ($599/month) or Enterprise, plus the $350/month HIPAA add-on. The combined floor is roughly $950/month for the database layer alone, before any seat costs.
Does the Vercel BAA cover Supabase, or do I need both?
You need both. Vercel's BAA covers their hosting, runtime, edge, and platform services. Supabase's BAA covers the database, auth, storage, and edge functions on Supabase's infrastructure. Each vendor's BAA only covers their own services — there is no cross-vendor HIPAA inheritance. Sign one with each vendor that touches PHI, including any third-party API in the request path.
Can I use Supabase Realtime for HIPAA workloads?
Yes, on the Team plan with the HIPAA add-on, Supabase Realtime is in scope under the BAA. Application-layer rules still apply: row-level security must be enforced on the broadcast channels, your subscriber clients must authenticate via Supabase Auth, and PHI broadcast events must be logged to your audit table the same way as direct database reads.
What about pgvector and AI on Supabase HIPAA?
pgvector functionality is in scope under the Supabase BAA. The catch is that if you embed PHI to vectors using an external API (OpenAI, Anthropic, Voyage), the embedding call leaves Supabase's BAA-scoped infrastructure and lands at a third-party service that needs its own BAA. OpenAI's API supports HIPAA via zero-retention endpoints with a BAA from baa@openai.com. Anthropic's Claude requires the Enterprise plan (typically $50K+/year) for HIPAA. The vector storage in pgvector is BAA-scoped; the embedding pipeline is your responsibility to BAA end-to-end.
Do Supabase Edge Functions count as PHI processing under the BAA?
Yes. Edge Functions on the Team or Enterprise plan with the HIPAA add-on are in scope. The catch: outbound fetch calls from an Edge Function to a third-party API are not in scope unless that third party also has a BAA. If your Edge Function calls Stripe, Twilio, or Resend, each of those vendors needs to be on their HIPAA tier for the call to be compliant. The Supabase BAA does not chain to the API the function calls.
Related reading
HIPAA-compliant apps in 2026 — Next.js, WordPress, or JotForm $99 — the parent post in this cluster covering all three architectural paths.
Hosting stacks that actually sign a HIPAA BAA in 2026 — broader hosting comparison including AWS, Azure, GCP, and the WordPress-specific HIPAA hosts.
WordPress Stack Advisor — paste your URL, get a tailored stack recommendation in 30 seconds. Useful if you are weighing whether your healthcare brief actually needs the full Next.js + Supabase setup or whether the WordPress + JotForm path solves it cheaper.
If you are six weeks into your healthcare app and you cannot answer 'is your stack HIPAA-compliant today' with a simple yes, the next thirty minutes will solve it.
Book a 30-minute HIPAA stack call — describe the product, walk through your current stack, leave with a HIPAA path that is defensible to your auditor and priced for your stage.