We recently completed our 3rd external HITRUST audit along with an internal SOC 2 audit. The HITRUST audits were performed by Coalfire Systems, a large national 3rd party auditor. The results of that audit and assessment can be boiled down to this badge that our customers can post to their own websites.
The truth is it took a lot of time and effort to get here, and we learned way more about HIPAA and security than we ever expected. We did not outsource any of our compliance work because it is core to what we do. All of our policies and procedures are written, reviewed, and maintained in house, just like our code; policies are reviewed, using a similar pull request process that we use for our code review, as well as by external auditors, but our policies are owned wholly by Datica. Below are some high level things we’ve learned.
This, and policies below, are the most obvious parts of HIPAA. Our technology is built from the ground up to be secure and expose data only when access is specifically granted, never by default. Starting with a minimum access standard is hard when you are trying to build a flexible cloud platform for developers but we think we’ve accomplished combining simplicity, security, and flexibility.
As part of Datica’s risk management program, we review the SOC 2 reports of AWS, Azure, Rackspace, and all other suppliers of services that involve ePHI. In turn, our customers should evaluate us as part of their program by reviewing Datica’s compliance documents, specifically the HITRUST and SOC 2 reports. These reports confirm our risk management program as outlined in the Risk Management section of our compliance policy.
There are countless innovative and powerful things we do to maintain the integrity, privacy, and security of data on Datica and we make it a point to open-source those with our customers and the cloud community as a whole.
Speaking of policies, we have a lot of policies and I don’t think we fully expected to spend so much time developing and refining them. The last time I checked we had about 26,000 words worth of policies, including our BAA. You can look at our policies here.
All of our policies are written in Markdown and we use Github for version control. Our policies are open sourced in hopes that others can use them to simplify their lives.
Procedures for HIPAA compliance
Policies are the easy part compared to procedures. Policies dictate the procedures that are required to adhere to those policies. Procedures are the processes that define specifically how we operate at Datica. Procedures can make for tedious work, especially when it comes to HIPAA compliance where documentation is essential at pretty much all everything. We did not anticipate how many procedures we’d need to put into place but we’ve been creative in their application and it’s let us remain agile within a highly regulated industry.
Forms and tracking for HIPAA
Tightly tied to procedures above are the number of forms and the amount of tracking that we do. As an example, when you create a policy for system access, you need a way to track requests and access grants to various systems and data. This is one of many examples, including changes to our infrastructure, firewall rules, etc. We lean heavily on JIRA Issues and tracking for this, and find them to be very effective. When we were going through our HIPAA audits and our HITRUST audit, this was a very easy way for us to show evidence of following policies and procedures.
Part of the HIPAA requirements are that all workforce members (employees and contractors) have training on HIPAA. We looked at the available training options and felt that the majority were created for covered entities, people that handle paper records, and people that work with patients. We decided those had zero value to our employees so we wrote our own HIPAA introductory training. All new employees at Datica complete this training. We also do regular demonstrations that cover topics related to security, privacy, and health industry trends for all Datica team members.
BAAs for new technologies
At Datica we don’t have ready access to any ePHI, but we do store sensitive information and support our customers with their applications. As such, we made the decision early on to either own and manage systems that store sensitive information or work with companies that will sign BAAs with us.
We took all of these steps, dedication all of these resources, and spent all of these resources because operating as a business associate, with all organization and admin requirements met, sets us apart from everybody else in the compliant infrastructure business. We don’t just sign business associate agreements (BAAs) and secure our infrastructure, we comply with HIPAA to the full extent of the rules. It gives us additional insight into our customers’ needs and keeps us intimately close to the problem we are solving. It is also extremely valuable to our customers when they work with compliance offices and point to our audit reports and guides.
When you decide to go down the path of hosting your application in a HIPAA compliant cloud, we encourage you to spend time digging deeper than sales and into how the offerings and organizations available to you differ in approaches to HIPAA, and which are really solving your problem vs selling you a checkbox for a BAA. If you have a question about about compliance at Datica, please email us and we’ll be happy to tell you everything we’ve learned and why we’re so proactive about compliance and transparency.