Among all the industries that data have the potential to revolutionize, healthcare stands alone. Healthcare industries generate an enormous volume of data every day, from patient records to clinical imaging to trial results, and there are myriad opportunities for insights to improve life and longevity for billions of humans.
Patients and providers, however, deserve privacy and accountability, and their data needs to be stored and processed securely. In the US, the Health Insurance Portability and Accountability Act (HIPAA) provides a set of regulations and guidelines for people working with healthcare data. It also outlines very harsh penalties for mis-managing said data: breaches can result in many millions of dollars of fines.
A common misconception is that HIPAA is a “certification” one can achieve. In reality, HIPAA compliance is a risk management process. There’s no agency or outside auditor that gives you a badge of approval. It’s really up to each organization to make their own determination on how much risk they’re willing to bear, and demonstrate to an auditor that their controls are sufficient to manage that risk.
Before an organization can provide services to a HIPAA Covered Entity that involves protected health information (PHI), they need to sign a Business Associate Agreement (BAA) as a Business Associate of the Covered Entity. This is essentially a contract that outlines what PHI is being disclosed, and permissible uses and disclosures of PHI. Signing a BAA assumes significant risk: the Business Associate is responsible for managing and processing the PHI securely, on the hook if it causes a breach through negligence.
So if you are, let’s say, a data analytics company, you need to approach this topic with care. Signing BAAs can unlock a lot of new business, but also a lot of additional risk, so you need to make sure you are handling customer data with extreme diligence.
At Hex, security is central to everything we do. We have invested heavily here from day one, including a dedicated Trust Program, unbroken SOC 2 Type II attestations, regular audits, and an active bug bounty program. Our existing Hex Cloud multi-tenant environment already offers a secure, scalable place to work with data.
In the past, however, the heightened risk from handling PHI led us to only sign BAAs for customers on our single-tenant deployments. These setups are isolated from the internet and other customers, which reduces the risk profile. Single-tenant deployments, however, also introduce additional infrastructure overhead and cost, which makes them prohibitive for smaller companies.
Today, however, we are introducing a new option: HIPAA Multi-Tenant, which will allow healthcare customers to use Hex at a greatly reduced total cost.
Under the hood, this new instance is mostly the same as our existing Hex Cloud multi-tenant, which already offers best-in-class security. This new HIPAA stack, however, offers further assurances:
It is not exposed to the open internet – users can only access this stack through VPN or a zero-trust option, greatly reducing the attack surface area for any malicious actors;
Relatedly, it does not allow for self-serve signup, so any customers with access have been vetted by our team, with a signed, paid contract in place;
HIPAA-specific controls such as shortened session lifetimes and other, tighter defaults;
The flexibility to introduce additional controls or configuration changes specific to healthcare customers’ needs
Together, these steps further reduce the total risk profile for customers and ourselves, making signing BAAs – and the resulting assumption of risk – more tolerable and insurable at lower costs.
HIPAA multi-tenant sits alongside our existing US multi-tenant and EU multi-tenant stacks, as well as our single-tenant offering, meaning customers have access to a range of deployment options based on their unique security needs and paranoias.
Our greatest joy is seeing customers do amazing things with Hex – especially when it has the potential to improve lives. We are proud to already have dozens of amazing healthcare customers using the product, and are excited to welcome many more through our new HIPAA multi-tenant.