Configure for HIPAA Compliance
Platform Version 2.0
API Version N/A
Introduction
HIPAA compliance cannot be achieved solely through the implementation of technology. There must be a commitment from all levels of the organization, from leadership on down. Technology is one part of the equation, but it cannot be the only part. Training, education, and a culture of compliance are also critical components.
This section will provide guidance on how to configure GraphGrid to align with your HIPAA compliance program based on the HIPAA privacy rules.
In order to safeguard patients' privacy, there are key rules set forth by the Health Insurance Portability and Accountability Act. First and foremost, patient information can only be shared with those who have a valid reason for needing access. This means that healthcare providers and other covered entities must take extra measures to ensure that only authorized individuals can view or receive protected health information.
Furthermore, HIPAA establishes strict guidelines for how patient data can be used, disclosed, and stored. Failure to adhere to these privacy rules can result in significant penalties. By understanding and following HIPAA's privacy requirements, covered entities can help protect patients' sensitive information.
As always, consult a HIPAA professional when designing your comprehensive compliance program. GraphGrid provides a variety of technical solutions, but it is up to you to determine how to fit them into your HIPAA compliance program. The suggestions below are only provided to help you think about how you can technologically support your HIPAA compliance requirements when using GraphGrid. Technology alone cannot meet your HIPAA requirements, so we cannot guarantee you are HIPAA compliant simply by using GraphGrid.
Data Storage
One of the first steps in moving toward HIPAA compliance is a data storage approach that supports both the privacy and security rules.
Separate Instance for Database
To accomplish this the GraphGrid deployment requires its own database instance. This means that the database will be separate from the rest of the system with the ability to restrict access to the minimum group of personnel.
To accomplish this, launch a new instance with its own data volume. Install, configure and start only the ONgDB version that aligns with your GraphGrid installation. Now, either edit the following file before installation: <install_path>/.data/redis/setup/graphgrid_default_config.txt and then do the install.
Or the config that tells GraphGrid where to find its ONgDB database can be changed after install through the ./bin/graphgrid config set command
These are the ONgDB config settings that should be modified to use to the external ONgDB installation.
HSETNX /2.0/application/default spring.data.neo4j.password "_database_password_here_"
HSETNX /2.0/application/default spring.data.neo4j.port.bolt "7687"
HSETNX /2.0/application/default spring.data.neo4j.port.http "7474"
HSETNX /2.0/application/default spring.data.neo4j.protocol "bolt"
HSETNX /2.0/application/default spring.data.neo4j.url "_host_here_"
HSETNX /2.0/application/default spring.data.neo4j.username "ongdb"
Make sure to launch the database instance in the same region and availability zone as the instance with the GraphGrid installation. Doing this will avoid any issues with latency on requests the other GraphGrid services and your own application requests make. Having a separated database accessible over the network is very common architecture. ONgDB is designed to operate in this architecture so there should be no impact to performance.
Emergency Access
If an emergency situation arises and healthcare professionals need to access a patient's protected health information, they may do so by breaking the glass. This is known as HIPAA emergency access.
You can accomplish this using the fine-grained security level access management controls and api-specific controls to expose an API for use in a UI that gives a human access in an emergency to a patient record. It is recommended that when you enable this to include this access in a special set of logs for audit purposes. GraphGrid does not provide a UI nor API specifically for this purpose.
A highly technical way to accomplish the same access that would be possible out-of-the-box would be to have the system admin and the database admin both together directly access the external database instance that was configured above and query for that specific PHI. This is essentially a 2-key access approach and could be used to break the glass in an emergency. Potentially viable solution if you do not have nor wish to expose a UI for this purpose.
Audit Log
HIPAA audit log trails are an important way to stay on top of your compliance requirements. By keeping track of who has accessed protected health information, you can ensure that only authorized individuals have access to this sensitive data. Additionally, audit logs can help you identify potential security breaches and investigate any potential unauthorized disclosures of patient information.
You can use the Monitoring and Logging service to support your requirements to keep an audit trail. At this time, GraphGrid does not provide an audit service that automatically tracks access to your specific PHI/PII based on a configuration you provide. Your database schema and what constitutes PHI/PII are added after the installation. But as you develop your custom API services these can use the Logging service available to capture access.
Encryption
Encryption is an important part of layered approach to security. And it is a key element of HIPAA compliance. GraphGrid supports both encryption in-flight and at-rest.
At Rest
Volume-level encryption at-rest will need to be configured based on the environment where you operate GraphGrid. GraphGrid has been tested and will operate without issue on an encrypted volume.
In Flight
SSL/TLS can be enabled for encryption in-flight as described here.
Responsibility Boundary
GraphGrid does not provide any HIPAA services out-of-the-box. GraphGrid is a platform that provides a foundation for your end-solution. It is your responsibility to configure and build on this foundation those APIs and UIs that need special HIPAA considerations for how they handle PHI/PII. The building blocks provided will make this easier, accelerate delivery and lower TCO.
The simple way to understand this is the following layer cake: Application Platform Infrastructure
All three must work together to support a HIPAA compliance program. Once you've configured the infrastructure and platform architectures to meet those technical baselines needed for a HIPAA compliance program, the Application tier is where all your specific requirements and patient-specific interactions are developed by your team. These patient interactions could be consent flows, authorizations and the like.
Hope this helps you more confidently think about how to configure GraphGrid to support your HIPAA compliance requirements. Please contact us if you have any questions we can clarify!