undefined | Better HN

0 pointsmarkolschesky11y ago0 comments

There's a bit more to HIPAA than signing a BAA with your infrastructure vendor. I agree that you currently aren't storing PHI, so you're in the clear for now. I imagine that in the future your business would require you to. There's a bunch of things like auditing, logging, vulnerability scanning, disaster recovery, training and having policies in place when you do need to fully account for protecting PHI.

We open-sourced our HIPAA policies where I work at Catalyze recently. Check 'em out and good luck! http://catalyzeio.github.io/policies/

0 comments

1 comments · 1 top-level

beermann11y ago

Thanks Mark, we've actually read your HIPAA policies. And yes, you're correct, there's a lot more to HIPAA compliance than how you store your data. We will continue to move down the path of treating everything as being PHI even though it isn't currently.

j / k navigate · click thread line to collapse