The 2-minute guide to HIPAA compliance

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) outlines how sensitive protected health information (PHI) should be handled in the US.

HIPAA applies to you if:

• You deal with health information AND you work with another healthcare organization (i.e. hospital, clinic, digital health platform, etc. known as a “covered entity”)

Exceptions:

• You use de-identified health information (that doesn’t contain any names, emails, ID numbers, or other data outlined in HIPAA’s Safe Harbor method)

OR

• Your service is for consumer users ONLY and you don’t work with healthcare organizations (in which case getting compliant is highly encouraged but not required)

Consequences of not being HIPAA compliant:

If you get caught for not complying, you could face serious consequences:

• You could get fined (up to $1.5M/year)
• You could be personally liable (criminally punishable)
• You could lose your business license

HIPAA is enforced by the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS). The Federal Trade Commission (FTC) also enforces good security practices and can prosecute companies that don’t have them in place.

Pros and cons of being HIPAA compliant

Pros

• Ability to process PHI
• It’s a selling point
• Enhanced credibility + trust
• Improved data security

Cons

• Time + monetary cost
• Additional security overhead
• Restrictions on services that can be used

What’s required for HIPAA compliance?

To get HIPAA compliant, you must ensure that you are covered on both a technical and administrative level. On a high level, here are the requirements for compliance:

Technical:

Configure infrastructure that follows 2 core principles:

• Least privilege access → encryption in transit and at rest, Identity and Access Management (IAM) role/access restriction, firewalls, Web Application Firewalls (WAFs), public and private subnets, Virtual Private Clouds (VPCs), etc.
• High availability → load balancing, autoscaling, multi-availability zone/multi-region deployment, read replicas, blue green deployment, and rollbacks

Implement logging

• System access logs → record who accesses the system with timestamps and outcome
• User activity tracking → log specific actions performed by users, including interactions with sensitive data
• Security and errors → log security incidents and errors in detail

Monitor your infrastructure

• Automated alerts → have a system in place that warns you when an adversary is attempting a breach
• Health monitoring → maintain a dashboard to keep track of systems and ensure availability
• Review security → regularly verify data integrity, roll keys, and update with patches

Administrative:

Implement legal policies

• ~20 required security and privacy policies
• Sign Business Associate Agreements (BAAs) with all 3rd party vendors (e.g. AWS, OpenAI, Supabase, Twilio, etc.)

Establish company protocols for questions like:

• Who can access what data?
• What happens if an employee leaves?
• Who responds if there is a data breach?

Continually manage and assess compliance

• Regularly conduct checks → risk assessments, vendor security reviews, and compliance trainings
• Stay on top of tasks → many small details like multi-factor authentication, using a GitHub Org, screen lock, IAM access controls, etc.

‍

Key tips & tricks for HIPAA compliance

• Start early
• Use a compliance solution:
• Choose services carefully: