Blog
AI & Automation

HIPAA-Compliant Static IPs: How SSL Passthrough Keeps PHI Encrypted in Transit

QuotaGuard Engineering
March 14, 2026
5 min read
Pattern

If your healthcare app calls external APIs (EHR systems, lab platforms, pharmacy networks), and those APIs require IP whitelisting, you probably need a proxy with a static IP. That part is straightforward.

The part that trips teams up is encryption.

The Problem with Standard Proxies

Most proxy solutions use SSL termination. Your app connects to the proxy with TLS. The proxy decrypts the traffic to route it. Then it re-encrypts and sends it to the destination.

For most use cases, that's fine. For healthcare, it's a problem.

HIPAA's Security Rule requires that Protected Health Information (PHI) stays encrypted in transit. The regulation is specific: encryption must protect data from the point of origin to the point of destination. When your PHI gets decrypted on a proxy server, even briefly, that chain is broken. Unencrypted patient data now exists on infrastructure you don't fully control.

On top of that, most standard proxy providers don't offer a Business Associate Agreement (BAA). Without one, routing PHI through their infrastructure puts you out of compliance.

How SSL Passthrough Works

QuotaGuard Shield handles this differently. Instead of terminating your TLS connection, Shield uses SSL passthrough. Your encrypted connection passes through the proxy untouched. We never decrypt it. We never see the data.

Technically, your application establishes a TLS connection to the destination API (Epic, Cerner, a pharmacy network). Shield forwards the encrypted packets without touching the payload. The outer encryption protects credentials and metadata. The inner encryption protects PHI. End-to-end encryption stays intact.

What You Get with Shield

Shield starts at $29 per month. You get two load-balanced static IPs with automatic failover. Same static IP functionality as QuotaGuard Static, but with the encryption architecture that healthcare requires.

It works with HTTP proxy, SOCKS5, and QGTunnel for raw TCP connections. Whatever your integration needs.

Shield also comes with a Business Associate Agreement. When you sign up, you get a BAA. Your compliance team doesn't have to hunt for documentation or negotiate terms.

Data Residency for Regulated Environments

Some healthcare organizations need traffic to stay within the US. Others serve European patients and need GDPR compliance with EU data residency.

We handle this with our data regionality add-on at $899 per month. It region-locks all traffic to your chosen geography. EU-locked traffic never leaves the EU. US-locked traffic never leaves the US. This matters for certain healthcare contracts and regulatory requirements.

A Typical Scenario

A health tech company on Heroku builds a patient portal that integrates with Epic's API. Epic requires IP whitelisting. Heroku doesn't give static IPs. So they need a proxy.

They start with a standard proxy. It works technically. But during a compliance review, the security team flags it. No BAA with the proxy vendor. SSL termination means PHI is briefly decrypted on the proxy server.

They switch to Shield. Traffic is now encrypted end-to-end. The proxy provider has a signed BAA. Epic's IP whitelist blocks everything except Shield's two static IPs. Every byte of patient data stays encrypted from their application to Epic's servers.

The cost difference is about $50-60 per month.

Testing It

You can verify the setup at https://ip.quotaguard.com. It shows the static IP you're connecting from. Set up Shield, run the test, and confirm your IP is consistent. Same IP every time.

Keep It in Perspective

A proxy isn't your entire HIPAA strategy. You still need encrypted databases, access logs, incident response procedures, and security training. But outbound encryption is a real piece of the puzzle, and it's one that's easy to get wrong if you're using the wrong proxy.

Shield handles the outbound encryption problem and gives you the static IPs that healthcare platforms require. It also gives you compliance documentation for auditors.

Next Steps

If your healthcare app needs to call external APIs through whitelisted IPs, sign up for Shield and test it in your environment. Most teams can set it up in under 30 minutes.

QuotaGuard Static IP Blog

Practical notes on routing cloud and AI traffic through Static IPs.

Product Updates

Proximo Down Again? Migrate to a Static IP Proxy That Has Support

When Proximo goes down, Heroku customers lose production traffic with no support line to call. This post covers why QuotaGuard is the direct replacement and how to migrate in under 30 minutes.
QuotaGuard Engineering
March 10, 2026
5
min read
Tutorials & Integration Guides

Connect a Heroku App to AWS RDS with a Static IP

Heroku apps use rotating dynamic IPs that can't be allowlisted in AWS RDS security groups. This guide shows how to route Heroku outbound traffic through a static IP so you can lock your RDS instance to two fixed addresses.
QuotaGuard Engineering
March 10, 2026
5
min read
AI & Automation

Retool Static IP: Connect Retool to Firewalled Databases and APIs

Retool Cloud runs on dynamic shared IPs that get blocked by database security groups and IP-allowlisted enterprise APIs. This guide shows how to give Retool a fixed outbound IP using QuotaGuard, covering both Cloud and self-hosted deployments.
QuotaGuard Engineering
March 10, 2026
5
min read
AI & Automation

Railway Static IP: Fixed Egress for Railway Apps in 10 Minutes

Railway apps run on shared cloud infrastructure with rotating IPs. This guide shows how to assign a fixed static IP to Railway services using QuotaGuard, covering HTTP proxy setup, database connections, and Shield for inbound traffic.
QuotaGuard Engineering
March 10, 2026
5
min read
Tutorials & Integration Guides

Static Egress IP for DigitalOcean Kubernetes (DOKS): Three Options Compared

Honest comparison of DigitalOcean Kubernetes egress IP options: native VPC NAT gateway, egress Droplet with Reserved IP, and QuotaGuard proxy. Includes setup steps, real pricing, and inbound IP coverage for webhook scenarios.
QuotaGuard Engineering
March 6, 2026
5
min read
AI & Automation

Google Cloud Run Static IP: Why Cloud NAT Causes Timeouts (and the Simpler Fix)

Google Cloud Run doesn't give your functions a static egress IP. Cloud NAT works but causes connection timeouts. Here's why, and a simpler fix that takes 2 minutes.
QuotaGuard Engineering
March 5, 2026
5
min read
AI & Automation

n8n Cloud Static IP: Fixed Egress in 10 Minutes

n8n Cloud uses dynamic outbound IPs by default, which breaks integrations that require firewall allowlisting. This guide shows how to route n8n HTTP Request node traffic through a QuotaGuard static IP proxy, get a fixed egress address in under 10 minutes, and permanently solve the allowlisting problem without leaving n8n Cloud.
QuotaGuard Engineering
March 5, 2026
5
min read
Tutorials & Integration Guides

AWS Lambda Static IP Without NAT Gateway: Save $70+/Month

How to give AWS Lambda a static IP without a NAT Gateway. Skip $70+/month in infrastructure costs with a two-minute proxy configuration. Available directly on the AWS Marketplace
February 26, 2026
5
min read
AI & Automation

Your Replit App's IP Address Changes Every Deployment. Here's the Fix.

Replit assigns a new outbound IP on every deployment, breaking firewall rules and database connections. Here is how to fix it with a static IP proxy in under 5 minutes.
QuotaGuard Engineering
February 25, 2026
5
min read
Tutorials & Integration Guides

How to Route PyMongo Through a SOCKS Proxy on PythonAnywhere, Netlify, and Other Platforms That Restrict Custom Binaries

Running PyMongo on PythonAnywhere, Netlify, or another platform that blocks custom binaries? Here's the pure-Python SOCKS5 setup that works, including the mongodb+srv and SOCK_CLOEXEC gotchas that will silently break it if you miss them.
February 20, 2026
5
min read
Tutorials & Integration Guides

Why Your MongoDB Connection Is Eating Your SOCKS Proxy Bandwidth (And How to Fix It)

Seeing unexpected bandwidth usage on your SOCKS proxy with MongoDB? Learn how replica set heartbeats accumulate through proxy tunnels and three practical steps to reduce your footprint.
QuotaGuard Engineering
February 19, 2026
5
min read
AI & Automation

How to Add Static IPs to Apps Built with Emergent AI

Route outbound traffic from Emergent-hosted apps or exported code through fixed IPs to connect to firewalled databases, payment APIs, and enterprise systems.
QuotaGuard Engineering
February 17, 2026
5
min read
QuotaGuard's Journey

Heroku Is Entering "Sustaining Engineering" Mode. Here's What That Means for Your Static IPs.

Heroku is entering sustaining engineering mode. Your apps still run. Your static IPs still work. And if you migrate, your QuotaGuard IPs go with you.
QuotaGuard Engineering
February 16, 2026
5
min read
Tutorials & Integration Guides

QGTunnel: Static IPs for Database Connections, FTP, SFTP, and Other TCP Traffic

QGTunnel routes non-HTTP traffic like database connections, FTP, and SFTP through static IPs without changing your connection strings. Here's how it works and how to set it up.
QuotaGuard Engineering
February 14, 2026
5
min read
AI & Automation

HIPAA-Compliant Static IPs: How SSL Passthrough Keeps PHI Encrypted in Transit

Healthcare applications need to send encrypted data to external APIs, but regular proxies decrypt traffic mid-stream, violating HIPAA. QuotaGuard Shield uses SSL passthrough to maintain end-to-end encryption while providing compliant static IPs.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Static IPs on Netlify and Railway: What's Available and What's Not

Netlify has no static IPs at all. Railway offers shared ones on Pro plans. If your database or API requires dedicated IP whitelisting, here's what to do on both platforms.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Render's /24 Static IP Range: When 256 Addresses Is Too Many

Render gives you a /24 range with up to 256 IPs for outbound traffic. Most APIs only let you whitelist one or two. Here's how to get dedicated static IPs on Render.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Heroku's Rotating IPs: How to Get a Static IP Without Private Spaces

Heroku dynos rotate IPs constantly across AWS ranges. If your banking API, SQL Server, or SFTP vendor needs a whitelisted IP, here's how to get a static one without Private Spaces.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Serverless Functions and IP Whitelisting: The 0.0.0.0/0 Trap

Vercel, Lambda, and Cloud Functions don't have static IPs. Most teams cave and whitelist 0.0.0.0/0 in MongoDB Atlas. That opens your database to the entire internet. Here's the fix.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Make/Integromat and IP Whitelisting: Why Zone Detection Isn't Enough

Make rotates through 3 shared IPs per zone across thousands of users. Zone detection doesn't solve the whitelisting problem. Here's what actually works.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

n8n Cloud and Static IPs: How to Whitelist When You Have 22 Rotating Addresses

n8n Cloud gives you 22 rotating IPs that can change anytime. If your API vendor or SFTP server needs a static IP for whitelisting, here's how to fix it in five minutes.
QuotaGuard Engineering
February 13, 2026
5
min read
AI & Automation

Zapier and Static IPs: How to Whitelist a Zap Without Opening Your Firewall to All of AWS

Zapier doesn't have a static IP. It runs on AWS us-east-1 with millions of shared addresses. Here's why whitelisting the entire range is a security nightmare and what to do instead.
QuotaGuard Engineering
February 13, 2026
5
min read
Tutorials & Integration Guides

How to Fix Ruby DNS Resolution Errors When Using QGTunnel with Third-Party APIs

If you're using QGTunnel in transparent mode for database connections and seeing Socket::ResolutionError when calling APIs like Mailchimp, the fix is to disable transparent mode. This guide walks through the cause and the 5-minute solution.
QuotaGuard Engineering
January 29, 2026
5
min read
Tutorials & Integration Guides

How to Get a Static IP for Gigalixir Apps

Learn how to get static outbound IPs for Gigalixir apps. Code examples for HTTPoison, Req, Finch, and Tesla. Connect to firewalled databases and APIs.
QuotaGuard Engineering
January 19, 2026
5
min read
Tutorials & Integration Guides

How to Get a Static IP for Render Apps

Render provides shared CIDR ranges for outbound IPs, but many firewalls and databases require individual static IPs. This guide compares native options with proxy services and shows how to connect Render apps to MongoDB Atlas and other firewalled resources.
QuotaGuard Engineering
January 15, 2026
5
min read
Tutorials & Integration Guides

How Do I Get a Static IP for Fly.io Apps?

Learn how to get a static IP for Fly.io apps. Compare native egress IPs vs QuotaGuard proxy. Includes code examples for Node.js, Python, Elixir, and Go.
QuotaGuard Engineering
January 13, 2026
5
min read
Tutorials & Integration Guides

How to Fix 403 Forbidden Errors in n8n HTTP Request Nodes (The Static IP Fix)

Is your n8n AI agent getting blocked? If you are seeing 403 Forbidden or ECONNREFUSED errors, the problem isn't your code, it's likely your IP address. Learn why "noisy" cloud IPs get flagged and how to fix it in 2 minutes using n8n's native proxy settings.
QuotaGuard Engineering
December 8, 2025
5
min read
Tutorials & Integration Guides

SSL Passthrough vs SSL Offloading: A Quick Primer

Understand the critical differences between SSL Passthrough, SSL Offloading, and SSL Termination. Learn which method ensures end-to-end zero-knowledge encryption for compliance versus which optimizes performance by decrypting traffic at the load balancer.
QuotaGuard Engineering
December 4, 2025
5
min read
Security & Compliance

US and EU Data Residency for Static IP Proxy Traffic

Does your security team prohibit traffic from leaving the EU or US? Learn how QuotaGuard’s Data Residency add-on locks your static IPs and logs to a single region, simplifying your audits for SOC 2, HIPAA, and GDPR.
QuotaGuard Engineering
October 4, 2025
5
min read
Product Updates

Introducing U.S. Data Residency: Keep Your Proxy Traffic Fully Within U.S. Borders

Meet strict localization requirements with our new U.S. Data Residency option. Route all proxy traffic and logs exclusively through U.S. infrastructure to align with government contracts, HIPAA, and SOC 2 standards.
QuotaGuard Engineering
October 4, 2025
5
min read
Product Updates

QuotaGuard Now Live in 10 AWS Regions – Including Singapore and Mumbai!

QuotaGuard is now live in 10 AWS regions, including new launches in Singapore and Mumbai. Reduce latency and improve performance for your global workloads by routing static IP traffic through infrastructure closer to your data.
QuotaGuard Engineering
October 4, 2025
5
min read
Product Updates

QuotaGuard Expands: Early Access to Heroku’s Next-Gen Fir Platform

QuotaGuard is testing early access to Heroku's next-gen Fir platform. We are ensuring full compatibility so you can migrate your static IP workflows seamlessly as Heroku modernizes its infrastructure for better scalability and performance.
QuotaGuard Engineering
October 4, 2025
5
min read
View all

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free TrialTalk to an Engineer