Who is behind this?
Datica Health, Inc., healthcare's trusted HIPAA-compliant platform.
We help healthcare companies who handle PHI, both business associates and covered entities, maintain compliance with our platform and managed data integration services.
HIPAA compliance has two halves. The first half includes all technical guidelines, both physical and digital. Encryption, logging, monitoring, backup—these are just a few examples of HIPAA technical requirements. The Datica platform addresses the technical requirements of HIPAA for our customers.
The second half of HIPAA is focused on administrative and organizational activities. This includes signing Business Associate Agreements (BAAs), risk management procedures, and policies for training, among other things. Crafting company policies that align with HIPAA administrative guidelines are straightforward, but an immense burden.
When we were creating our policies, we found several templates for healthcare providers, but nothing for modern health technology companies. We spent a lot of time and effort writing our policies, then adapting them to meet the demands of external audits. We don't want people to reinvent the wheel; trust us, it's not fun. We also feel a broader community can improve these polices over time, making them better for everybody.
By open sourcing our own company policies, we hope other healthcare companies will benefit. It aligns with our company mission: to help you focus on fixing healthcare without spending all of your time on HIPAA.
All company policies are licensed under CC BY-SA 4.0. You can edit and use as you wish for anything other than commercial use.
You can say what you want. They are open source and you can use as you see fit. But, we don't recommend that. We are not saying adopt these policies and be HIPAA compliant. We open sourced these policies to help modern healthcare companies get a head start. They are the starting point that we wish we had at Datica. We've implemented technical controls and organizational procedures specifically based on these policies (ex: we say we log certain events in our policies, so we log those events using our logging stack). We encourage you to customize the policies to meet your needs.
As a company who handles PHI, it's critical you adopt and maintain your own HIPAA policies. To make use of our policies, we recommend the following steps.