HIPAA compliance is complicated, but it doesn't have to be. In an effort to make compliance as easy as possible for companies working with PHI, we decided to open source our HIPAA policies.
Our policies have been written with modern, cloud-based technology vendors in mind. We looked far and wide for policy examples that fit our company, and couldn't find any. So we wrote our own. Importantly, these policies have been through three external audits—two HIPAA audits and one HITRUST audit.
Because we crafted these policies for ourselves, we had the profile of a modern cloud healthcare company in mind. They are tailored specifically for you, including our business associate agreement (BAA).
Don't just take our word for it. These policies have gone through two official HIPAA audits and two official HITRUST assessments with Datica, but have been used to pass over 1,000 security and risk assessments by our customers. They have been validated by independent third parties.
That's right, these are entirely free to use and edit. All documents are licensed under CC BY-SA 4.0.
All documents were written in markdown, which again likely aligns with you as a modern cloud company. It makes using git for version control and publishing to the web simple.
"Eligible makes it simple for healthcare engineers to pass and receive financial transactions with over 1,000 health insurance companies across the country.
We believe that for Datica to open source these documents is truly ground breaking in healthcare IT.
In the past we've spent an enormous amount of funds creating & updating our policies. We have yearly evaluations of our policies in October and this past October (2014) we were able to update and implement a number of improvements to our existing policies all based off the information we gathered from Datica's policies. This cost us zero dollars in comparison to our expensive updating of policies in prior years.
This is definitely the first time we have seen policies open sourced and we applaud the use of tools like GitHub to manage version control of all policies.
I think this could be revolutionary in helping the industry as a whole collaborate to improve privacy and security practices by gathering information from the highest level security/privacy experts in the field and making it available via similar open source methods."
CEO & Cofounder, Eligible Inc.
Each policy is included as its own markdown file in case you want to cherry pick specific policies. If you currently have no policies in place, we encourage you to consider utilizing all policies.
Who is behind this?
Datica Health, Inc., healthcare's trusted HIPAA-compliant platform.
We help healthcare companies who handle PHI, both business associates and covered entities, maintain compliance with our platform and managed data integration services.
HIPAA compliance has two halves. The first half includes all technical guidelines, both physical and digital. Encryption, logging, monitoring, backup—these are just a few examples of HIPAA technical requirements. The Datica platform addresses the technical requirements of HIPAA for our customers.
The second half of HIPAA is focused on administrative and organizational activities. This includes signing Business Associate Agreements (BAAs), risk management procedures, and policies for training, among other things. Crafting company policies that align with HIPAA administrative guidelines are straightforward, but an immense burden.
When we were creating our policies, we found several templates for healthcare providers, but nothing for modern health technology companies. We spent a lot of time and effort writing our policies, then adapting them to meet the demands of external audits. We don't want people to reinvent the wheel; trust us, it's not fun. We also feel a broader community can improve these polices over time, making them better for everybody.
By open sourcing our own company policies, we hope other healthcare companies will benefit. It aligns with our company mission: to help you focus on fixing healthcare without spending all of your time on HIPAA.
All company policies are licensed under CC BY-SA 4.0. You can edit and use as you wish for anything other than commercial use.
You can say what you want. They are open source and you can use as you see fit. But, we don't recommend that. We are not saying adopt these policies and be HIPAA compliant. We open sourced these policies to help modern healthcare companies get a head start. They are the starting point that we wish we had at Datica. We've implemented technical controls and organizational procedures specifically based on these policies (ex: we say we log certain events in our policies, so we log those events using our logging stack). We encourage you to customize the policies to meet your needs.
As a company who handles PHI, it's critical you adopt and maintain your own HIPAA policies. To make use of our policies, we recommend the following steps.