Day 27 — Building Toward HIPAA Compliance (Part 4)

Meditating sloths make data security not seem so hard

One of the key activities required for HIPAA Compliance is classifying and securing all the data we collect, store, and process. This data isn’t just limited to our app, though. It also includes our website, customer support tools, and anywhere else we collect data.

The Information Classification Policy

One of our key Security Policies within Risk Management is an Information Classification Policy.

Basically, for each bit of information we collect, store, or process, we also need to classify this data (plus, perform the harder step of making sure each has the appropriate controls on it).

We have 4 data designations:

  1. Sensitive/Regulated Information means information protected by international, federal, state, or local laws or regulations, or industry standards such as HIPAA.
  2. “Restricted Information” means internal information that is sensitive in nature and restricted in its use and distribution. Access to this information shall be limited to only authorized workforce members on a need-to-know basis.
  3. “Confidential Information” means information that may only be used or distributed internally. Confidential Information is intended for the use of our workforce members (or, in appropriate instances, business partners) when conducting business.
  4. “Public Information” means information that is not confidential and can be shared with external parties.

Apple Store Data Classification

One additional layer of classification we need to prepare for is organizing this in a way that’s also comprehensible to end-users. Luckily, Apple’s new OS Update does the hard classification work for us, so I intend to just follow it.

Apples Data Classification for the App Store

You can find more details on the Apple Developer Site here.

Classifying Data

With our approach laid out, I added a tab to our Risk Analysis and started listing out all the data we collect from:

  1. The Invincible App
  2. The Invincible Website
  3. Additional Tools (e.g., Customer Support)

The Invincible App

There are a variety of data we collect within the app:

  • Contact Info: Name, Email, and Phone Number collected during our user account setup flow. This helps us assign a user account and enable communication features within the app.
  • Health: User-logged health information, such as glucose, insulin, etc. This enables our communication features for health teams.
  • User Content: User communication within the app (e.g., chat messages, likes, etc.). This facilitates team communication in the app.
  • Customer Support: Additional communication between users and Invincible for support purposes. This helps users and Invincible troubleshoot issues.
  • User Identifiers: Identifiers used for internal support purposes like UserID and TeamID. This enables functionality and analytics.
  • Usage Data & Analytics: Aggregate analytics to understand how the app is being used (e.g., number of messages sent on the platform). We use Google Data Studio and plan to eventually use Amplitude. This enables us to better understand how features are being used.
  • Diagnostics: Crash-related information so we can troubleshoot issues. We use Sentry for this.

With the exception of the 3rd party tools noted above, everything is stored locally in our app database and in AWS.

Invincible Website

There are 3 categories of information we collect on our website:

  1. Contact Information: We allow users to sign up for our newsletter on our website through Mailchimp.
  2. Analytics: We’re using out-of-the-box functionality from Google Analytics mainly to understand how many people are visiting the site.
  3. Customer Support: We have a “Contact Us” option on the website where user can submit contact details and information.

Customer Support

We’re doing this in a limited capacity right now via a form on our website and app (form collection through Webflow) but eventually will look to transition to a more robust customer support tool like Intercom.

The End Result

Data Classification

This information enables a number of downstream activities, including communication to users what we’re collecting and why, securing data per its classification (e.g., PHI is stored in HIPAA-compliant databases), and following overall good security practices.

Next Steps

With some good momentum going on the risk analysis work, I’m hoping to finish up our initial risk classification tomorrow.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store