At Chartio, we’ve spent the past decade helping hundreds of organizations empower their users with data. Along the way, we’ve welcomed more and more Chartio customers who are creating products and services related to health and wellness. These companies face a unique issue when working with data: the sensitivity of handling personal health information (PHI).
The challenges of protecting PHI are only growing, as digital health companies are increasingly expanding their tech stacks to include cloud-based tools. If any of these third-party tools need access to PHI, they must be compliant with the Health Insurance Portability and Accountability Act (HIPAA).
Because of this requirement, companies that need to work with PHI data are limited to just a few options. Or they’re forced to build their own internal tools, which can be costly and time-consuming.
We believe that companies shouldn’t have to create their own on-premises solutions to work with health data. That’s why we’ve spent the past year reviewing policies, adding security features, and updating our infrastructure to meet HIPAA requirements—and we’re happy to announce that Chartio is now HIPAA compliant.
We’re on a mission to help companies unlock the potential of their data, and that requires trust. So, several months ago, after we completed our SOC 2 Type II audit, we made the decision to become HIPAA compliant. We conducted extensive planning, a rigorous audit, and analysis of our system to meet HIPAA requirements.
Accomplishing these tasks involved considerable work by our engineering team, including:
- Completing a gap analysis with a third-party auditing firm and a self-assessment of the HIPAA audit protocol to help remediate any gaps in our system
- Establishing a Business Associate Agreement (BAA), and signing one with any vendors we work with that will process PHI on our behalf
- Ensuring that all customer data is encrypted at rest and in-flight, even inside of Chartio private networks
We also updated all plans, procedures, and policies involving PHI data. All Chartio employees will have to sign a HIPAA agreement, attend security awareness training to ensure knowledge and enforcement of security best practices, and have their access to data logged and monitored for unauthorized or anomalous activity.
On the application side, we’ve implemented the following features:
- You can now set a session timeout to configure a session length for your organization
- We’ve removed the ability for Chartio support to access your account
- We’ve disabled in-line images in reports to reduce the potential for sensitive information to be mistakenly sent over email without guaranteed encryption
Solving customers’ needs
—Chartio CEO Dave Fowler (left) with CareLinx’s Vincent Dee and Yeong-Ping Koh.
HIPAA compliance is particularly important for companies like CareLinx, the leading nationwide network for in-home care. With teams that regularly interact with lots of health-related data, CareLinx needed a BI solution that was both user-friendly and secure. “We wanted the engineers to focus on the product, so it was important for us to find a Business Intelligence platform that allows everyone to pull metrics and insights on their own,” said Yeong-Ping Koh, VP of Product at CareLinx. “We wanted something everyone can play around with instead of having a dedicated team pulling data and creating reports.”
Now that Chartio is HIPAA compliant, CareLinx’s daily functions have become more efficient and easier.
“With Chartio being HIPAA compliant, there’s less risk involved. Everyone can access real-time data, and we are excited to use it with Chartio’s embedding feature,” Koh said.
A commitment to privacy and security
Our journey to achieve HIPAA compliance is just the beginning. We’ll continue this security initiative to provide additional features that will help you better control and manage your data with Chartio.
And even though HIPAA might not pertain to your organization, all Chartio customers will be able to utilize these features. If you’re interested in learning more, contact your Data Advisor or reach out to email@example.com.
Finally, we’re committed to maintaining the privacy and security of our customers’ data, and meeting or exceeding relevant standards as they evolve. Some steps we take to achieve this include submitting to a yearly HIPAA audit by a third-party firm, undergoing annual SOC 2 certification, and meeting GDPR and Privacy Shield Framework requirements. If you want to know more about our policies and plans, please visit our Security page, or email us at firstname.lastname@example.org.
If your company deals with health data, now’s a great time to give Chartio a try. Start a free trial today.