Hacker News new | ask | show | jobs
by alexalvarado 2160 days ago
Thanks. This is an important question. You are exactly right that under HIPAA, there are a few basic data protection requirements. These encompass administrative, physical and technical requirements. A few examples of the technical requirements: all protected data must be encrypted at rest and in transit, each medical professional authorized to access PHI must have a unique identifier to monitor access, and automatic log-off must be implemented to protect data. We've architected from Day 1 to be able to meet these needs. You can read more about HIPAA requirements here: https://www.hhs.gov/hipaa/for-professionals/security/laws-re...
1 comments
btown 2160 days ago
Amazing - you all are doing vital, lifesaving work! Curious - did you determine that you needed to use any existing software systems to help with regulatory compliance, such as any big-name EMR solutions and/or single-sign-on with the same? Or were you able to meet HIPAA requirements with standard web application tools & stack? Do you feel any choices of language, database, even things like advisory board, etc. made this easier to do?
link
alexalvarado 2160 days ago
Working with existing software systems make this compliance much easier. Many of the big name service providers (Twilio, Sendbird, Auth0, Heroku, AWS, etc) have out-of-the-box HIPAA compliancy. And working with an EMR is tablestakes for a healthcare provider, we definitely did not build that from the ground up! Our work is about bringing these solutions together into a unified UX and ensuring compliancy / security across the stack, while gradually introducing secure and compliant native functionality. Language itself does not have a huge impact (we've seen it done in many different languages), but having the right advisor can make the build process a lot easier if they know what to look for!
link