Day 24 — Building toward HIPAA Compliance (Pt. 1)

Today I lay out how we’ll get to HIPAA Compliance

One of the looming questions that’s been on my mind since building out the Invincible App has been data security. Specifically, HIPAA Compliance.

I started this work several months ago, and today I picked it back up today. Over the next few weeks I intend to start chipping away at the work required to get us to HIPAA compliance.

Research

HIPAA lays out a series of administrative, technical and physical controls to ensuring protected health information (PHI) is secure. These guides do a much better job at explaining than I can:

High-Level Approach

For this work, I’ve separated the administrative from the technical/physical controls.

  • The administrative controls are policies and procedures we need to follow internally, including things like training, risk management, documentation, vendor audits, etc. I can working on these now.
  • Technical Controls outline the things we’ll accomplish through our technical infrastructure (e.g., encrypted storage at rest/transit). We’ll most likely use a vendor for these.
  • Physical controls ensure that the computers / servers / etc. where the information is stored are secure. We’ll mainly inherit controls from AWS.
High-Level Work to be Done

1 — Administrative Controls

There are a few tools that offer out-of-the-box controls, policies, and procedures, but I found Aptible to be by far the best. The tool is super useful — and best of all, it’s free.

Out-of-the-box documentation on Aptible

Aptible also provides a ticketing tool to drive the work, but I found it pretty clunky and confusing, so I ended up pulling out key work activities and creating tickets in JIRA.

The Mountain to Climb

2 & 3— Technical & Physical Controls

When I first started considering how we might become HIPAA-compliant, I had assumed we could just set some configurations in AWS and we’d be good to go.

Boy was I wrong…

Without a huge dev team and a boatload of money, the consideration quickly switched to 3rd party providers. I met with some vendors over the past few months to better understand the work effort required.

  • The good news is that they should save us a ton of time and money.
  • The bad news is that they aren’t cheap (basically about $1K/month starting costs).

Here were my favorites:

HIPAA Vendors for Implementing Technical Controls

What’s Next?

I plan to make some small but meaningful progress in the morning and then call it quits for Christmas.

Happy Holidays!

Startup founder surviving in his parent’s basement.