Day 24 — Building toward HIPAA Compliance (Pt. 1)
One of the looming questions that’s been on my mind since building out the Invincible App has been data security. Specifically, HIPAA Compliance.
I started this work several months ago, and today I picked it back up today. Over the next few weeks I intend to start chipping away at the work required to get us to HIPAA compliance.
HIPAA lays out a series of administrative, technical and physical controls to ensuring protected health information (PHI) is secure. These guides do a much better job at explaining than I can:
HIPAA Compliance: Guide for Startups | Aptible
Explosive growth in digital health over the last few years means there are many developers and managers who haven't…
Version 1.0 This guide is designed to provide developers with a solid understanding of HIPAA guidelines and their…
For this work, I’ve separated the administrative from the technical/physical controls.
- The administrative controls are policies and procedures we need to follow internally, including things like training, risk management, documentation, vendor audits, etc. I can working on these now.
- Technical Controls outline the things we’ll accomplish through our technical infrastructure (e.g., encrypted storage at rest/transit). We’ll most likely use a vendor for these.
- Physical controls ensure that the computers / servers / etc. where the information is stored are secure. We’ll mainly inherit controls from AWS.
1 — Administrative Controls
There are a few tools that offer out-of-the-box controls, policies, and procedures, but I found Aptible to be by far the best. The tool is super useful — and best of all, it’s free.
Aptible also provides a ticketing tool to drive the work, but I found it pretty clunky and confusing, so I ended up pulling out key work activities and creating tickets in JIRA.
2 & 3— Technical & Physical Controls
When I first started considering how we might become HIPAA-compliant, I had assumed we could just set some configurations in AWS and we’d be good to go.
Boy was I wrong…
Without a huge dev team and a boatload of money, the consideration quickly switched to 3rd party providers. I met with some vendors over the past few months to better understand the work effort required.
- The good news is that they should save us a ton of time and money.
- The bad news is that they aren’t cheap (basically about $1K/month starting costs).
Here were my favorites:
I plan to make some small but meaningful progress in the morning and then call it quits for Christmas.