Readers, it's been a while. So much has happened. Lately I have gotten to understand HIPAA law a bit better as it pertains to servers and hosting apps that have or use medical data. Let's start first with some definitions. HIPAA stands for Health Insurance Portability and Accountability Act, which was passed by Congress back in '96. It is enforced by the Dept of Health and Human Services (HHS). For the purposes of app hosting, HIPAA is important for the electronic side of things, namely, protected health information (PHI) and personal identifiable information (PII).

TLDR: You need to be HIPAA compliant and protect personal information if you're gonna have a medical app or host a medical app.

In order for a hosting provider to be compliant, it needs to meet certain requirements. These requirements are in the form of physical, technical, and administrative safeguards. Let's talk about each one.

Physical Safeguards

Servers that host PHI/PII need to have certain physical safeguards, such as facility access control, workstation access, etc. The good thing about this is that a lot of infrastructure as a service companies like Digital Ocean or Linode are already HIPAA compliant. The physical datacenters which host our lovely virtual servers have a lot of safety requirements by default, such as key card entry plus biometric login, etc. Datacenters can also be certified at higher levels of security, such as SOC I and II certifications (Service Organization Control).

Technical Safeguards

Technical safeguards are things like access control, authentication systems, and secure transmissions. Thinking about technical safeguards is easiest from the app perspective. You will need unique logins, your database should be encrypted (easier to be encrypted before going into the db), and a record of who did what when. From a server perspective, it's ensuring that access to the server is limited and recorded and that the server is properly monitored for any breaches. You might also implement automatic logoff (both app and server). This is the part where you implement services on the server like Fail2ban and have a bunch of firewall rules with all the ports turned off except the ones you absolutely need.

Administrative Safeguards

Administrative safeguards isn't just about writing up documentation to explain what the SOP is for when there's a security breach, but it's also for ensuring all personnel are properly trained to handle PHI/PII. You'll have to do risk analysis and risk assessments (generally once a year) on your systems, which includes but isn't limited to testing out disaster recovery plans, like server and data restoration in the event of a catastrophe. Reviewing your own policies and procedures is also required as a safeguard, such as reviewing how things are done and assessing whether or not the process in place is still effective or needs to be adjusted. Think of this as adjusting your Fail2ban settings to make sure it's capturing and banning failed login attemps properly. Finally, having a contingency plan is also part of the administrative safeguards. It makes sense to have backups of your database, but making sure you have a backup of your server is essential. It also helps to have a backup of a backup as well (the external server hosting the backup databases). Finally, as a hosting company or as a medical app, you will most likely need a signed Business Associate Agreement between you and your client.

Overall, HIPAA compliance seems like a daunting thing, but truthfully, the law is there to help us. We need to be smart about how we keep things running as a hosting company. And as long as if we keep our ducks in a row, being HIPAA compliant is actually really easy to do.

The particular section we, as techies, need to be aware of with HIPAA regularion is CFR 164.308, 310, 312, 314, and 316.

For more information, that section, along with the rest of the regulation can be found here, in particular pages 62-69.

Please note, I've over-simplified this. It's good to actually read thru the regulation. It's surprisingly very easy to understand. And when you're dealing with engineering manuals, this is most definitely a breath of fresh air! :)

Level up +5

Questions? Comments? Hit me up at risaonrails !