How to ensure HIPAA compliance for your BI data pipeline

If your business handles protected health information (PHI), then a HIPAA-compliant data pipeline is critical for your analytics infrastructure. Stitch’s HIPAA white paper has full documentation on ensuring HIPAA compliance with Stitch; this post provides a summary to help you get started.

The first step is to enter into a business associate agreement with Stitch. A BAA is a legally binding document that details the security obligations and breach reporting procedures for both parties. Stitch’s infrastructure runs on Amazon Web Services, and we have a BAA with AWS to ensure that our services are HIPAA-compliant.

Compliant sources

Any PHI that you transmit through Stitch must come from a HIPAA-compliant source. Many of our most popular sources already are compliant, including Salesforce.com, Desk.com, and Zendesk, and all of our database sources can be made compliant by following the instructions in our white paper. We’ll work with you to ensure that all of your data sources are in compliance.

At your destination

At the other end of the pipeline, all supported Stitch destinations can be HIPAA-compliant if you configure them properly. If your data is hosted by a third party, make sure you have a BAA with the platform provider. Enable SSH or SSL encryption options to secure PHI.

The credentials you provide to Stitch should be

  • lengthy and complex

  • hard to guess

  • unique to Stitch

Final points

Finally, here are three more things to do and remember to maintain HIPAA compliance.

Go to Stitch’s Account Settings page and activate “Hide plain-text error messages in notification emails.” This ensures that PHI is not sent through email as part of an error message.

From time to time you may need to contact Stitch for support. Never transmit PHI when you make support requests to Stitch.

Lastly, don’t store PHI in metadata accessible by Stitch. That metadata could include:

  • User, account, and integration names

  • For databases: user, database, schema, table, and column names

  • For web services: dataset and field names

If you follow all of these guidelines, you can be confident that your Stitch data pipeline is HIPAA-compliant. If you have questions about HIPAA compliance or you’re ready to get started, let us know.

Image credit: purpleslog