Datica Blog

Lifting A Fork for Open Source

Marcia Noyes
Marcia Noyes

Datica Alumni — Former Director of Communications

September 7, 2017   Open Source HIPAA

A week ago, Chief Data Officer Mark Olschesky used Slack to announce that Datica had just passed 200 forks of our open-source policies. Of course, the company wise-crackers quickly posted the obligatory Yogi Berra response:

When you come to a fork in the road, take it!

As with many technical terms, the word “fork” obviously had more than one meaning. The mention of this particular company achievement, along with its oddly referenced name suddenly had my non-technical mind driving for answers. I needed to uncover not only what a “fork” was, but also why having 200 of them came with so many “thumbs up” and “clapping hand” emoticons. The discovery called for a quick Q&A with none other than torchbearer himself, Mark Olschesky.

Q: Just what is a “fork” in technical terms?

Mark: A fork is a term for duplicating a code or document repository. It’s not required. Someone could simply download the source from the repository without us knowing at all. In the open-source world, “forks” and “stars” are a common way to track the success of a project. We use GitHub to host our policies; there, you can track all changes made to the policies by reviewing forks made by our customers.

Q: Participating in open-source projects has been strategic for Datica, can you tell me more about its importance to the company?

Mark: When the company was founded in 2013, the industry had its share of duplicitous vendors peddling “HIPAA-compliant” solutions for hosting and application development. Turns out that many of those solutions were far from compliant. As a company that, 1) wanted to do more to make compliance in the cloud easier and, 2) was not the first HIPAA-compliant vendor, the company needed to go the extra mile to prove our compliance and differentiate the company from the rest of the market beyond base market copy.

Q: How did that differentiation begin?

Mark: During Datica’s first HITRUST audit, CEO Travis Good, MD saw the potential for sharing what we’d learned with the entire industry via open-source policies. He then made the following strategic decisions:

  • Datica should publish our policies in a way that allows them to be easily tracked over time (GitHub).
  • We should open-source the policies to both engender goodwill with the developer community and to also demonstrate the lengths that Datica goes for its customers versus other “HIPAA-compliant” vendors.
  • Provide a way for other companies with existing infrastructure or that didn’t want to host with Datica to fork those policies and make them their own. As such, we would show different flavors of how to demonstrate compliance with different application stacks or organizational differences.

Q: How does forking of our open-source policies help healthcare in general?

Mark: As a company, Datica does not manage all the parts of HIPAA. For example, we don’t employ clinicians or have software that performs medical decision-making or automated outreach to patients. As such, it’s hard for our policies to be the definitive guide for “what it means to be HIPAA compliant.”

Q: That sounds counterintuitive to the ultimate goal of HIPAA compliance. Can you explain how forks play into that?

Mark: By looking at forks, you can see what other customers have done. Most commonly, you can see companies with different Business Associate Agreements (BAAs). You’ll also see some major material differences through the forks.

Q: Can you give me a good example of a fork?

Mark: One is Bind. You can see their policies here. As an insurer/broker (and therefore likely a Covered Entity, their policies will differ from Datica’s as a cloud infrastructure/tooling provider. Bind’s willingness to share what they’ve done could help other insurers or brokers with their path to build and demonstrate compliance. That can save everyone time and money. That savings allows organizations to work on the real problems in healthcare.

Q: When the 200th fork came in from the Chief Technology Officer of a care coordination platform, you shared this good news with the entire company. Why was this an important achievement?

Mark: Many open-source projects don’t receive much attention, so it’s great to see that Datica’s open-sourced policies are one of the more popular open source projects in healthcare compliance. The Linux Foundation took a similar approach a year later in publishing their policies. Datica is proud to be one of the earlier innovators in a space that facilitates transparency in best practices by publishing those policies. As a company we strive to constantly do what’s best for our customers, but also the industry as a whole.

Earlier

There’s much a digital health company needs to know about EHR integrations. Here are 4 essential questions digital health teams should ask their customers.

Next Post

With our 3rd HITRUST CSF certification, the Datica Platform now provides customers greater flexibility with cloud infrastructure choices.

Related

Our company policies, now available free on GitHub

Kris Gösser

Chief Marketing Officer

HIPAA compliance is complicated, but it doesn't have to be. To make compliance easier for companies working with PHI, we open source our HIPAA policies.

event-note September 25, 2014

Why There is Up Front Pricing Now

Mark Olschesky

Chief Data Officer

Almost 3 years ago, I wrote about why there was no listed Datica pricing on our site. Today, I wrote about why we actually DO now have upfront pricing.

event-note August 7, 2017

What does it take to be a 100% HIPAA compliant cloud company?

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

Datica has spent extensive time and money on security and organizational policies and procedures specifically to comply with HIPAA and share with our customers.

event-note July 27, 2017

Datica’s gone native — cloud native!

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

We've taken our commitment to open source and Kubernetes a step further by becoming a silver member of the Cloud Native Computing Foundation (CNCF).

event-note June 29, 2018

Kubernetes vs. PaaS

Ryan Rich

Chief Product Officer

If you're new to container orchestration and more familiar with a fully managed platform-as-a-service (PaaS), Kubernetes can seem complex. Learn the differences and tradeoffs.

event-note June 21, 2018