HIPAA Compliance in Decisions
  • 08 Aug 2024
  • 2 Minutes to read
  • Dark
    Light

HIPAA Compliance in Decisions

  • Dark
    Light

Article summary

Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. In the course of providing services to healthcare customers, Decisions can be HIPAA compliant through the server configuration.


Configurations

Decisions support HIPAA compliance through different configurations of its data storage and the data structures used within the Decisions platform. In its default setup, Decisions does not store customer data. Decisions stores ‘metadata’ related to your Flow designs and layout. The datatypes used within Decisions can also be configured with 256-bit AES encryption to protect transactional both at rest and in transit. Out of the box, Decisions can be used in a HIPAA-compliant manner, with advanced levels of security available via external integrations and configuration.


HIPAA Rules and Decisions

The following table contains additional information on how Decisions can be configured to account for multiple HIPAA safeguards and practices.

Privacy
  • Decisions do not store any information by default relating to your data.
  • Decisions elements can be configured to store Personally Identifiable Information using 256-bit AES encryption.
Transactions
  • Decisions only store data related to your designs and their configuration.
  • In their default configuration, Decisions flows keep data in memory. When the Flow is done executing - this data is purged.
  • Flows requiring data persistence, like user tasks, can be configured to store data using encryption.
  • Decisions support FHIR and HL7 standards for processing medical information.
Enforcement
  • The platform can be configured through permissions in Decisions, where users cannot access or view any elements they are not assigned.
  • Decisions Server can be deployed on cloud infrastructure in your existing domain behind your current firewalls. Decisions run as a browser application and can be configured to be delivered securely no matter where your users access it from.
Auditing
  • Decisions track all user interaction in the platform at all times
  • Decisions generate unique sessions for each user where all modifications to both the platform as well as your designs are noted with the user who performed the action and when
  • These reports can be further customized to expose additional information should you desire
  • Sessions can be configured for any auto-expiration you would like, as well as sessions ending automatically upon browser exit
Access Control
  • Decisions itself supports integrations for SSO access via any Identity Provider offering an OpenID or SAML 2.0 Connector.
  • Decisions flows can be configured with multiple different types of authentication for security.
  • By default, access to flows via the API is disabled per Flow unless otherwise specified.

Further Certification

SOC2: The SOC 2 report provides third-party assurance that the design of Decisions and our internal processes and controls meet the strict audit requirements set forth by the American Institute of Certified Public Accountants (AICPA) standards for security, availability, confidentiality, and privacy. The SOC 2 report is the de facto assurance standard for software providers. Decisions SOC 2 Cert is expected to be available in Q3 2022.


Additional Documents for reference:

Was this article helpful?