Fill 1

Open Source

Company Policies for HIPAA Compliance

Handle PHI? Adopt these free 25 policies and be one step closer to HIPAA compliance.

icon-github-octocat View Policies on Github

HIPAA compliance is complicated, but it doesn't have to be. In an effort to make compliance as easy as possible for companies working with PHI, we decided to open source our HIPAA policies.

Our policies have been written with modern, cloud-based technology vendors in mind. We looked far and wide for policy examples that fit our company, and couldn't find any. So we wrote our own. Importantly, these policies have been through three external audits—two HIPAA audits and one HITRUST audit.

For the Modern Cloud Company

Because we crafted these policies for ourselves, we had the profile of a modern cloud healthcare company in mind. They are tailored specifically for you, including our business associate agreement (BAA).

Audited Thousands of Times

Don't just take our word for it. These policies have gone through two official HIPAA audits and two official HITRUST assessments with Datica, but have been used to pass over 1,000 security and risk assessments by our customers. They have been validated by independent third parties.

Free to Use

That's right, these are entirely free to use and edit. All documents are licensed under CC BY-SA 4.0.

No Markup Required

All documents were written in markdown, which again likely aligns with you as a modern cloud company. It makes using git for version control and publishing to the web simple.

Case Study: Eligible Inc.

"Eligible makes it simple for healthcare engineers to pass and receive financial transactions with over 1,000 health insurance companies across the country.

We believe that for Datica to open source these documents is truly ground breaking in healthcare IT.

In the past we've spent an enormous amount of funds creating & updating our policies. We have yearly evaluations of our policies in October and this past October (2014) we were able to update and implement a number of improvements to our existing policies all based off the information we gathered from Datica's policies. This cost us zero dollars in comparison to our expensive updating of policies in prior years.

This is definitely the first time we have seen policies open sourced and we applaud the use of tools like GitHub to manage version control of all policies.

I think this could be revolutionary in helping the industry as a whole collaborate to improve privacy and security practices by gathering information from the highest level security/privacy experts in the field and making it available via similar open source methods."

Katelyn Gleason

Katelyn Gleason

CEO & Cofounder, Eligible Inc.

HIPAA Policies

Each policy is included as its own markdown file in case you want to cherry pick specific policies. If you currently have no policies in place, we encourage you to consider utilizing all policies.

Structural

  1. Introduction
  2. HIPAA Inheritance for PaaS Customers
  3. HIPAA Inheritance for Platform Add-on Customers
  4. HIPAA Mappings to Datica Controls
  5. Key Definitions

Physical

  1. Disposable Media Policy
  2. Facility Access Policy
  3. Disaster Recover Policy

Technical

  1. System Access Policy
  2. Data Management Policy
  3. Data Integrity Policy
  4. Data Retention Policy
  5. Configuration Management Policy
  6. IDS Policy
  7. Vulnerability Scanning Policy

Administrative

  1. Policy Management Policy
  2. Risk Management Policy
  3. Auditing Policy
  4. Incident Response Policy
  5. Breach Policy
  6. Approved Tools Policy
  7. 3rd Party Policy

Organizational

  1. Roles Policy
  2. Employees Policy
  3. Datica HIPAA Business Associate Agreement ("BAA")

Frequently Asked Questions

Who is behind this?

Datica Health, Inc., healthcare's trusted HIPAA-compliant platform.

We help healthcare companies who handle PHI, both business associates and covered entities, maintain compliance with our platform and managed data integration services.

Why open source these policies?

HIPAA compliance has two halves. The first half includes all technical guidelines, both physical and digital. Encryption, logging, monitoring, backup—these are just a few examples of HIPAA technical requirements. The Datica platform addresses the technical requirements of HIPAA for our customers.

The second half of HIPAA is focused on administrative and organizational activities. This includes signing Business Associate Agreements (BAAs), risk management procedures, and policies for training, among other things. Crafting company policies that align with HIPAA administrative guidelines are straightforward, but an immense burden.

When we were creating our policies, we found several templates for healthcare providers, but nothing for modern health technology companies. We spent a lot of time and effort writing our policies, then adapting them to meet the demands of external audits. We don't want people to reinvent the wheel; trust us, it's not fun. We also feel a broader community can improve these polices over time, making them better for everybody.

By open sourcing our own company policies, we hope other healthcare companies will benefit. It aligns with our company mission: to help you focus on fixing healthcare without spending all of your time on HIPAA.

What license are the policies?

All company policies are licensed under CC BY-SA 4.0. You can edit and use as you wish for anything other than commercial use.

Can I change the name Datica in the policies and say I'm HIPAA compliant?

You can say what you want. They are open source and you can use as you see fit. But, we don't recommend that. We are not saying adopt these policies and be HIPAA compliant. We open sourced these policies to help modern healthcare companies get a head start. They are the starting point that we wish we had at Datica. We've implemented technical controls and organizational procedures specifically based on these policies (ex: we say we log certain events in our policies, so we log those events using our logging stack). We encourage you to customize the policies to meet your needs.

Okay. So now what should I do?

As a company who handles PHI, it's critical you adopt and maintain your own HIPAA policies. To make use of our policies, we recommend the following steps.

  1. Read through all the enclosed policies to get an understanding of the structure.
  2. Download and adjust the policies to meet the specific needs of your organization.
  3. Comb through the policies for mentions of Datica or our business and change to appropriate references to your company.
  4. Implement internal procedures and technical controls to assure you're inline with the policies you are adopting. In the case of Datica customers, certain policies can be adopted in their entirety as Datica has implemented procedures and technical controls that our customers inherit.
  5. Publish your policies in a publicly available location. The files are markdown, so you may need to convert to HTML if you don't have a publishing platform capable of markdown format. You can either create an index page linking to each individual policy, or create a single page listing all the policies in line, much like we did. You can certainly choose to keep you policies private, but we have discovered that making our policies public helps us when we talk to large healthcare enterprises.
  6. Use Git for version control. We've discovered it's a great way to maintain documentation for audits.