HIPAA certification is a security and privacy certification for organizations. HIPAA is generally required by customers dealing with health care data in the United States. This certification is very similar to Service Organization Controls 2 (SOC2) which DoltHub achieved in May. DoltHub recently received our HIPAA certification.

This blog will walk you through what HIPAA certification is, why it matters, and how we got certified.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards protecting sensitive health information from disclosure without patient's consent. Title II of the Act governs electronic health records or protected health information (PHI). In order to work with a company who houses PHI, a company must be certified as HIPAA compliant.

HIPAA compliance is very similar to other security certifications including SOC2. You must have documented information security and privacy policies, processes, and controls.

Why HIPAA?

Dolt and DoltHub continue to grow rapidly. We will end the year with roughly 10X the number of running servers as we started the year! As the number of servers grow, customer interest is coming from a number of different industries, healthcare among them. Dolt's ability to provide an immutable, database enforced audit log of every stored value can be very useful in healthcare where regulatory requirements force companies through exacting audits. Dolt can really help, similar to how Dolt can help with Sarbanes-Oxley (SOX).

How do you Get HIPAA?

For SOC2, we chose Vanta to help guide and manage our compliance needs. Fortunately, Vanta also helps with HIPAA compliance. The number of HIPAA controls is very large and I recommend working with a vendor who specializes in information technology compliance. We added the module and worked through all the requirements. Many were duplicates of SOC2 which made the process relatively easy. Vanta provides us with ongoing tests, compliance modules for employees, and compliance reminders specific to HIPAA.

Unlike SOC2, a HIPAA audit is not required. HIPAA compliance is self attested. So, once you meet all the controls, you are HIPAA compliant. We completed all the controls last week.

How long does it take?

As a reminder, SOC2 took us about six months of calendar time, with about eight person weeks of dedicated effort. Much of that work was reusable for HIPAA so the process took about a month of calendar time and less than a week of dedicated time.

Conclusion

DoltHub is HIPAA compliant. Dolt healthcare customers were asking for it. It took a week or so of effort because we were already SOC2 compliant. Ready to use Dolt now that DoltHub is HIPAA compliant? Go ahead and deploy an instance or come talk to us about it on our Discord.