The “Hip Hip Hooray” of HIPAA Compliance
Did you hear? Jahia is now HIPAA compliant thanks to the ongoing work of our compliance and data security teams!
You can practically hear the cheers echoing out of our socially distant office spaces.
HIPAA is probably the best known US healthcare regulation since it was originally passed in 1996. Originally focused around the idea of health insurance portability, wherein you could take your employer-paid health insurance with you after leaving their employ, HIPAA also created a number of regulations to ensure patient privacy. Think patient information, health records, and anything else that would go into your personal medical history. These were all categorized as PHI (Protected Health Information), and HIPAA’s job was to ensure you, the patient, had more control over the privacy of that information and who was allowed to see and potentially use it.
Now, as you can imagine, HIPAA has had to evolve with the times. The Clinton Administration didn’t exactly predict online healthcare portals, after all. The evolution of electronic PHI, or ePHI, has become essential in understanding how patient information is stored and transferred across digital technologies.
How does this all relate to Jahia? Happy you asked.
Jahia, as a Digital Experience Platform (DXP), is literally full of customer information as part of its very design. Organizations on Jahia use that customer information to analyze and improve the digital experiences of their customers. But unlike a shared online platform (ex: Facebook), Jahia DXPs are unique and individual to each organization. These organizations have an obligation to secure and protect the data of their customers based on privacy protection regulations. These regulations can be nearly all-encompassing (think GDPR) or they can be industry specific.
HIPAA falls into the industry-specific arena. Namely, healthcare.
As we mentioned before, patient information is strictly protected by HIPAA. This creates a bit of a tricky situation when it comes to delivering the kinds of online experiences that a DXP can provide, since it’s based on private patient information. For example, a pharmaceutical company could use a patient’s prescription history and prior refill requests to help them quickly identify the medicine they need. If it’s a doctor’s office, a patient’s medical records could be used to guide them on their necessary treatments.
To do any of this, strict care has to be taken with the patient data so that it isn’t mishandled or otherwise abused. Often, the healthcare company using the DXP doesn’t have the ability to implement such stringent regulations into the platform itself. They didn’t build the DXP, after all. Which means it’s on the DXP vendor itself to show that their platform is capable of meeting the necessary requirements for compliance.
Thus, Jahia becoming HIPAA compliant was borne not just out of necessity to help our healthcare clients ensure that patient data is handled with the most stringent care required by law, but also to show how committed we are to the idea of customer-owned data. It is built into our DNA as a platform founded on open source principles, as when we were one of the first DXPs to recognize, plan for, and deliver GDPR-compliant technology long before the law actually went into effect. And we won’t stop here – we continue to improve and grow our security protocols on a daily basis.