We’re planning to use a cloud-based Business Intelligence tool for analyzing/visualizing our customer data in our Postgresql database. There is an excellent HIPAA compliant tool to do this, by Mode Analytics, but we’re also exploring non-HIPAA compliant. options, such as https://www.periscopedata.com and https://chartio.com/
Obviously we will not introduce PHI into these third party systems, so I wanted some thoughts on the best way to safely give them access to our (sanitized/anonymized) data.
One solution would be to create Postgresql view sits above our main tables but has a limited (ie non-PHI) schema. The 3rd party service’s database user would have a role that only allows read-only access to this view. Is this a sensible way of ensuring compliance? Any flaws in this approach?
An alternative solution would be to run an (hourly) export of sanitized data from our main database into an entirely separate database instance.
Does anyone have any suggestions/recommendations for us?
The basic approach is sound. For policy, you’d want to restrict the 3rd party user to an individual or pre-identified machine role, with a separate user for any manual access events.
I don’t think HIPAA would require audit logging (because the view itself doesn’t involve PHI), but you’ll want to document the setup as part of your security program.
Doing some testing and we’re hooking up Chartio to our database (it will only have access to a limited set of Views that are de-identified and do not contain health information)
How can we allow a server outside the aptible environment to access our Postgresql database? We want to permit access from a specific IP Address. Since this needs to be a persistent connenction, I think VHOST is the best option?
We’re also is the process of revamping our analytics platform. I’m curious to the resolution of your analytics story that you described here. Which service did you end up going with? Any lessons learned?
We’re using Chartio, but that was mainly because we wanted our business team to be able to create/edit charts themselves, without having to use SQL.
If it’s going to be devs that are interacting with this, you should look into Mode, since they are HIPAA compliant. (and you wont have to create special views and processes to get a clean sanitized version of your data).
Also worth mentioning that we’re using Chartio for business reporting, and not for analytics
We’re also heavy users of Google Analytics and Mixpanel (via Segment.com)
If you want to talk bout this in detail, let’s find time for a call, maybe early next week?
Hi @hylas@Philonous I realize this is about 1+ years later but we are going down a very similar path at Avhana. I am curious to learn more about (1) your experience with chartio + other recommendations for a HIPAA compliant business reporting tool that could be exposed to devs internally but also people outside engineering and (2) how you solved the db connection question (direct connection vs tunnel connection). We are exploring JasperSoft and ReportServer and are trying to decide what the best tooling is for our needs and the best way to connect to our db from a report server. Happy to chat by phone. Feel free to dm me.
thanks @chas had a good chat today with someone from Mode and it’s something we’re exploring. Regarding Tableau and some of the other non-HIPAA compliant solutions, is there a way to deploy these to an Aptible container? Would this solve the HIPAA compliance piece or is this sort of functionality not possible (ie. they doing the hosting, etc themselves which renders them non-HIPAA compliant)?
It’s really specific to each potential product/integration. If the utility runs entirely within your Enclave stack, no BAA is needed with the vendor, most likely.
If the vendor is going to create/receive/transmit/maintain PHI on your behalf, you need a BAA most likely. You can make it easier to integrate by adding an endpoint to a database container, which may eliminate the need to run a container bridge app, but if you’re still transmitting identifiable health data to a vendor, they will need to be compliant.
As always, I am not your lawyer and Aptible is not a law firm. Always consult counsel for legal advice - this is just guidance.
I just talked to Segment about HIPAA compliance and they basically told me "We cannot accept HIPAA-related data because our S3 backend currently isn’t configurable to have the option to toggle on/off. " What is your strategy for using Segment?
