We’re considering using a hosted CI tool such as Travis or Circle. However, I’m concerned about the case where PHI is accidentally committed into a git repository, and then Travis / Circle grabs everything to run it.
Granted, this is very unlikely to happen, but if it does, would it be considered a HIPAA violation? And if so, how does everyone here avoid this problem?
Standard caveats apply: This is not legal advice, we don’t have an attorney/client relationship, and to get specific legal advice you should consult a lawyer.
To answer your first question, yes, it would probably result in multiple HIPAA violations to send PHI to an entity with whom you do not have a BAA, like a CI provider. (I don’t know of any CI services that sign BAAs.)
HIPAA requires that you have a BAA in place with your business associate vendors. The simplified version of the definition of a “business associate” is an entity that creates, receives, maintains, or transmits PHI on your behalf. If you accidentally sent PHI to a CI provider, they’d become your business associate, and not having that BAA in place would likely constitute an unauthorized disclosure under HIPAA.
There are a few best practices here to avoid committing sensitive data to source code:
- Make sure everyone has advanced developer training in HIPAA security and privacy practices
- Never store data locally on a dev machine, if you can help it
- Use .gitignore to exclude any files and directories you want to keep out of source code
- Make it a policy to conduct code review before merging
Let me know if you have more questions, or if anything here isn’t clear!
Great. And yes, we do those things, but there’s just not a 0% chance that it won’t happen in the future. So for anyone that this may help, we’re testing out self-hosing GitLab, which has GitLab-CI built-in.
This setup can be on Azure, AWS, or Google Cloud, which all sign BAAs.
Alternatively, if managing a CI configuration is not something you’re keen on, Travis CI / Circle CI offer self-hosted solutions