September 7, 2017

Lifting A Fork for Open Source

Marcia Noyes
Marcia Noyes

Datica Alumni — Former Director of Communications

A week ago, Chief Data Officer Mark Olschesky used Slack to announce that Datica had just passed 200 forks of our open-source policies. Of course, the company wise-crackers quickly posted the obligatory Yogi Berra response:

When you come to a fork in the road, take it!

As with many technical terms, the word “fork” obviously had more than one meaning. The mention of this particular company achievement, along with its oddly referenced name suddenly had my non-technical mind driving for answers. I needed to uncover not only what a “fork” was, but also why having 200 of them came with so many “thumbs up” and “clapping hand” emoticons. The discovery called for a quick Q&A with none other than torchbearer himself, Mark Olschesky.

Q: Just what is a “fork” in technical terms?

Mark: A fork is a term for duplicating a code or document repository. It’s not required. Someone could simply download the source from the repository without us knowing at all. In the open-source world, “forks” and “stars” are a common way to track the success of a project. We use GitHub to host our policies; there, you can track all changes made to the policies by reviewing forks made by our customers.

Q: Participating in open-source projects has been strategic for Datica, can you tell me more about its importance to the company?

Mark: When the company was founded in 2013, the industry had its share of duplicitous vendors peddling “HIPAA-compliant” solutions for hosting and application development. Turns out that many of those solutions were far from compliant. As a company that, 1) wanted to do more to make compliance in the cloud easier and, 2) was not the first HIPAA-compliant vendor, the company needed to go the extra mile to prove our compliance and differentiate the company from the rest of the market beyond base market copy.

Q: How did that differentiation begin?

Mark: During Datica’s first HITRUST audit, CEO Travis Good, MD saw the potential for sharing what we’d learned with the entire industry via open-source policies. He then made the following strategic decisions:

  • Datica should publish our policies in a way that allows them to be easily tracked over time (GitHub).
  • We should open-source the policies to both engender goodwill with the developer community and to also demonstrate the lengths that Datica goes for its customers versus other “HIPAA-compliant” vendors.
  • Provide a way for other companies with existing infrastructure or that didn’t want to host with Datica to fork those policies and make them their own. As such, we would show different flavors of how to demonstrate compliance with different application stacks or organizational differences.

Q: How does forking of our open-source policies help healthcare in general?

Mark: As a company, Datica does not manage all the parts of HIPAA. For example, we don’t employ clinicians or have software that performs medical decision-making or automated outreach to patients. As such, it’s hard for our policies to be the definitive guide for “what it means to be HIPAA compliant.”

Q: That sounds counterintuitive to the ultimate goal of HIPAA compliance. Can you explain how forks play into that?

Mark: By looking at forks, you can see what other customers have done. Most commonly, you can see companies with different Business Associate Agreements (BAAs). You’ll also see some major material differences through the forks.

Q: Can you give me a good example of a fork?

Mark: One is Bind. As an insurer/broker (and therefore likely a Covered Entity, their policies will differ from Datica’s as a cloud infrastructure/tooling provider. Bind’s willingness to share what they’ve done could help other insurers or brokers with their path to build and demonstrate compliance. That can save everyone time and money. That savings allows organizations to work on the real problems in healthcare.

Q: When the 200th fork came in from the Chief Technology Officer of a care coordination platform, you shared this good news with the entire company. Why was this an important achievement?

Mark: Many open-source projects don’t receive much attention, so it’s great to see that Datica’s open-sourced policies are one of the more popular open source projects in healthcare compliance. The Linux Foundation took a similar approach a year later in publishing their policies. Datica is proud to be one of the earlier innovators in a space that facilitates transparency in best practices by publishing those policies. As a company we strive to constantly do what’s best for our customers, but also the industry as a whole.

tag Open Source HIPAA


What does it take to be a 100% HIPAA compliant cloud company?

Travis Good, MD

Co-founder & Chief Technology Officer

Datica has spent extensive time and money on security and organizational policies and procedures specifically to comply with HIPAA and share with our customers.

event-note July 27, 2017

Kubernetes vs. PaaS

Ryan Rich

Chief Product Officer and Chief Security Officer

If you're new to container orchestration and more familiar with a fully managed platform-as-a-service (PaaS), Kubernetes can seem complex. Learn the differences and tradeoffs.

event-note June 21, 2018