We’ve received requests from both Stitch customers and other organizations for a HIPAA-compliant ETL platform, and we’ve been working hard to provide the components and assurances we need to offer that feature. We’re happy to announce that Stitch is now HIPAA-compliant and will sign Business Associate Agreements (BAA).
Health care information is among the most private and personal information that we all have, and that we can’t keep to ourselves. For many years access to that information was regulated by a patchwork of federal and state laws. In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, and set out a Privacy Rule designed to safeguard and protect the confidentiality of medical information. The follow-on Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 further addressed the electronic transmission of health information under HIPAA.
Until now, companies that needed to move protected health information (PHI) from a cloud data service to a corporate data warehouse had a tough time finding data pipelines that complied with HIPAA privacy requirements. In most cases, they were forced to build the pipelines themselves, which is a poor use of developer time. Now, Stitch can serve as their secure, compliant data pipeline.
What we did
Data security is always a key consideration, but the sensitive nature of personal health information makes security and privacy even more important. Businesses need to meet a whole list of requirements to demonstrate HIPAA compliance. They have to commit to maintaining technical, physical, and administrative safeguards. Among the features we’ve implemented:
Encryption of data at rest: Customer data is encrypted anytime it’s written to disk using the AES-256 encryption algorithm
Encryption of data in transit: Customer data is encrypted using TLS anytime it’s sent across the network
Network zoning: Machines handling HIPAA data are isolated from other parts of the infrastructure
Authorization safeguards: Multifactor authentication required to access parts of the infrastructure that process PHI
Access monitoring: Access to data is logged and monitored for unauthorized or anomalous access
Staff responsibilities: A security team responsible for maintaining formal policies and procedures and conducting an annual risk assessment, quarterly vulnerability assessments, and risk mitigation actions, as well as a designated HIPAA officer responsible for training employees; investigating compliance issues; and writing, implementing, and maintaining policies, procedures, and documentation related to security and compliance
Stitch runs on the Amazon Web Services (AWS) cloud platform, and we’ve obtained a BAA from Amazon that promises that it too will be HIPAA-compliant.
If you don’t handle health care data, why should all this matter to you? Because all of the changes we’ve made for HIPAA compliance apply to all customer data, whether it falls under HIPAA regulations or not, so all Stitch users benefit from this news.
Bottom line: If you want to move PHI to your data warehouse, Stitch can do it for you quickly, securely, and cost-effectively, while complying with all HIPAA mandates.