How Courier Became HIPAA Compliant
When thinking about handling PII (Personally Identifiable Information) for SaaS companies, standards like SOC 2 compliance and GDPR immediately come to mind. One of the most sensitive types of information for a tech company to handle, however, is actually PHI, or protected health information. To be able to handle this type of data, a company must become HIPAA compliant.
HIPAA, or the Health Insurance Portability and Accountability Act, regulates the way PHI is collected, processed, stored, and shared in the United States. Protecting PII remains as important as ever to maintain a person’s security and privacy online, but in addition, the improper handling of a person’s health data can actually be dangerous. For example, data concerning a child’s vaccinations that are improperly stored could cause the patient to receive a double dose, no dose at all, or the incorrect vaccine entirely.
Today, we are excited to announce that Courier is now HIPAA compliant and this post will get into why SaaS companies should be HIPAA compliant, why this is important for our company, and the steps we took to get here.
Why SaaS companies should be HIPAA compliant
2020 introduced us to healthcare complexities the likes of which the vast majority of people had never seen within their lifetimes. While the world has experienced health emergencies before, none of this size have landed in our current era of tech expansion. We now have SaaS tech tools to help healthcare providers organize and digitize to provide a higher quality experience for patients, both in-person and online. Even mental health services are now often provided at high volume and quality through online counseling options like BetterHelp.
With the demand for healthcare tech growing and the digitization of medical care expanding, even existing SaaS companies can expect a greater portion of their customer base to deal with PHI, which means that they themselves will need to be equipped to handle this sensitive data. Becoming HIPAA compliant is therefore likely going to be necessary in the near future, if it isn’t already, for many SaaS companies.
Why Courier invested in HIPAA compliance
Here at Courier, in particular, we knew from the start that HIPAA compliance would be necessary sooner than later. Courier’s mission is to make software-to-human communication delightful, currently by providing excellent notification infrastructure. We are happy to work with our current set of customers such as Hospitable to provide better communication between guests and hosts and LaunchDarkly to help retain users. Another line of important communication, however, exists between healthcare providers and patients, or with other providers.
A patient who could receive notifications about blood test results, for example, could access their data more easily through a HIPAA-compliant Courier instead of having to deal with terrible UX to get the information they would be waiting for. Other notifications that would require HIPAA compliance include reminders for doctor’s appointments, flags that prescriptions are ready for pickup, and as a more timely example, notifications for Covid test results.
Courier’s journey to compliance
To become HIPAA compliant, we had to consider two major parts of the process of handling PHI: who all will be touching the data and how it will be presented in the product.
For any technical product, data must go through several touchpoints, often repeatedly. PHI collected from a user, for example, would reach our sub-processors in addition to our own databases along with those of our customers who are collecting the data itself. To maintain the integrity of HIPAA as this data moves around, every organization involved signs a BAA, or Business Associate Agreement. According to the U.S. Department of Health & Human Services, a business associate is any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. For Courier, this includes all our vendors, including AWS, for example.
In terms of how PHI would be presented in the product, we thought about this as an engineering issue from the start. HIPAA applies to communication just like stored data and by nature of how Courier works, that means that the amount of PHI stored for a particular user will only increase rapidly over time. This means that the way data is accessed needs to be considered while designing the product itself.
As an example, employees of Courier’s customer companies can generally see logs of notifications with their end users to help them gather data to improve their notification strategy over time. However, if a Courier customer is HIPAA compliant, their employees should not have access to their end users’ PII. In this situation, Courier must provide customers with the right tools to manage which employees can access which types of data. This is something to consider particularly carefully if you are an engineer at a SaaS company who is building a notification infrastructure in-house instead of using a tool like Courier — the complexity of building the infrastructure compounded with figuring out how to handle the data in a way that would be HIPAA compliant would be a massive undertaking that is best mitigated by early design considerations around data collection and logging.
As the engineering team hammered out the best way to handle how the data is compiled and logged, we also needed to make sure to have internal policies designated around PHI as well as processes to implement security safeguards, conduct risk assessments, and handle documentation.
After this full process, we are happy to announce that Courier is now fully HIPAA compliant, which applies to all U.S. PHI. To learn more about how Courier approaches security, check out this series of articles. If you’re looking for HIPAA compliant notification infrastructure for your own organization, check out Courier here.