The 2-minute guide to HIPAA compliance
Almost all companies that process health data in the US need to become HIPAA compliant. Here’s the 2-minute breakdown of what HIPAA is, how to get compliant, and key tips and tricks.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) outlines how sensitive protected health information (PHI) should be handled in the US.
HIPAA applies to you if:
- You deal with health information AND you work with another healthcare organization (i.e. hospital, clinic, digital health platform, etc. known as a “covered entity”)
Exceptions:
- You use de-identified health information (that doesn’t contain any names, emails, ID numbers, or other data outlined in HIPAA’s Safe Harbor method)
OR
- Your service is for consumer users ONLY and you don’t work with healthcare organizations (in which case getting compliant is highly encouraged but not required)
Consequences of not being HIPAA compliant:
If you get caught for not complying, you could face serious consequences:
- You could get fined (up to $1.5M/year)
- You could be personally liable (criminally punishable)
- You could lose your business license
HIPAA is enforced by the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS). The Federal Trade Commission (FTC) also enforces good security practices and can prosecute companies that don’t have them in place.
Pros and cons of being HIPAA compliant
Pros
- Ability to process PHI
- It’s a selling point
- Enhanced credibility + trust
- Improved data security
Cons
- Time + monetary cost
- Additional security overhead
- Restrictions on services that can be used
What’s required for HIPAA compliance?
To get HIPAA compliant, you must ensure that you are covered on both a technical and administrative level. On a high level, here are the requirements for compliance:
Technical:
Configure infrastructure that follows 2 core principles:
- Least privilege access → encryption in transit and at rest, Identity and Access Management (IAM) role/access restriction, firewalls, Web Application Firewalls (WAFs), public and private subnets, Virtual Private Clouds (VPCs), etc.
- High availability → load balancing, autoscaling, multi-availability zone/multi-region deployment, read replicas, blue green deployment, and rollbacks
Implement logging
- System access logs → record who accesses the system with timestamps and outcome
- User activity tracking → log specific actions performed by users, including interactions with sensitive data
- Security and errors → log security incidents and errors in detail
Monitor your infrastructure
- Automated alerts → have a system in place that warns you when an adversary is attempting a breach
- Health monitoring → maintain a dashboard to keep track of systems and ensure availability
- Review security → regularly verify data integrity, roll keys, and update with patches
Administrative:
Implement legal policies
- ~20 required security and privacy policies
- Sign Business Associate Agreements (BAAs) with all 3rd party vendors (e.g. AWS, OpenAI, Supabase, Twilio, etc.)
Establish company protocols for questions like:
- Who can access what data?
- What happens if an employee leaves?
- Who responds if there is a data breach?
Continually manage and assess compliance
- Regularly conduct checks → risk assessments, vendor security reviews, and compliance trainings
- Stay on top of tasks → many small details like multi-factor authentication, using a GitHub Org, screen lock, IAM access controls, etc.
What compliance solutions are available?
Instead of doing things from scratch (very risky, expensive, & time-consuming), check out the solutions below:
For technical tasks: Aptible, Porter, etc.
- Will help you deploy HIPAA-compliant infrastructure
- Total time: < 5 days
For administrative tasks: Vanta, Drata, Secureframe, Sprinto, etc.
- Will provide the non-technical tasks (i.e. legal policies, task checklist)
- Will run checks on your infrastructure setup but won’t fix it
- Total time: 3-4 weeks
For BOTH technical & administrative tasks: Delve
- Will deploy HIPAA-compliant infrastructure for you
- Will provide a monitoring/logging dashboard
- Will provide streamlined non-technical tasks (legal policies, task checklist, etc.)
- Total time: < 2 days
Key tips & tricks for HIPAA compliance
- Start early: Getting HIPAA compliant becomes harder the later you do it (shift left approach). Building compliant from day 1 is much easier. Plus, you need to be compliant before you can process PHI anyway.
- Use a compliance solution: Unless you’re a lawyer or healthcare security expert, HIPAA compliance isn’t something you can easily DIY. Choose a pre-existing solution to ensure you don’t make mistakes.
- Choose services carefully: If you’re HIPAA compliant, you can only use HIPAA compliant services that offer BAAs (for example, you can’t use Heroku or OpenAI APIs until you sign a BAA).
Dr. Parsons is the Chief Medical Information Officer (CMIO) at Boston Children’s Hospital. He attended medical school at Philadelphia College of Osteopathic Medicine and completed his residency in Internal Medicine and Pediatrics at Geisinger Medical Center in Danville, Pennsylvania. He then trained in a Clinical Informatics fellowship at Boston Children’s Hospital and earned his Masters in Biomedical Informatics from Harvard Medical School.