We’re considering using a hosted CI tool such as Travis or Circle. However, I’m concerned about the case where PHI is accidentally committed into a git repository, and then Travis / Circle grabs everything to run it.
Granted, this is very unlikely to happen, but if it does, would it be considered a HIPAA violation? And if so, how does everyone here avoid this problem?
Standard caveats apply: This is not legal advice, we don’t have an attorney/client relationship, and to get specific legal advice you should consult a lawyer.
To answer your first question, yes, it would probably result in multiple HIPAA violations to send PHI to an entity with whom you do not have a BAA, like a CI provider. (I don’t know of any CI services that sign BAAs.)
HIPAA requires that you have a BAA in place with your business associate vendors. The simplified version of the definition of a “business associate” is an entity that creates, receives, maintains, or transmits PHI on your behalf. If you accidentally sent PHI to a CI provider, they’d become your business associate, and not having that BAA in place would likely constitute an unauthorized disclosure under HIPAA.
There are a few best practices here to avoid committing sensitive data to source code:
Let me know if you have more questions, or if anything here isn’t clear!
Great. And yes, we do those things, but there’s just not a 0% chance that it won’t happen in the future. So for anyone that this may help, we’re testing out self-hosing GitLab, which has GitLab-CI built-in.
This setup can be on Azure, AWS, or Google Cloud, which all sign BAAs.
Alternatively, if managing a CI configuration is not something you’re keen on, Travis CI / Circle CI offer self-hosted solutions