Q: Are we able to ensure HIPAA compliance in the setting of building documents with Protected Health Information (PHI)?
Ismail59059
May 14, 2024A: Hi there,
Thanks for your message. Unfortunately Hybiscus doesn't have HIIPA compliance. Sorry about that! Let us know if there's any other way we could assist!
shreemulayPLUS
Verified purchaser
How much of the processing is completed at your servers vs the client side?
If the only processing is completed at the time of the event, no data or PDFs are stored (?), and it's a secure connection, wouldn't we be HIPAA compliant? Are we not able to go through the steps to ensure the validity of the security concerns to certify the product as compliant?
Hi @shreemulay,
With regard to how data is processed, the JSON data you send is not stored on the server after the report has been processed. The PDF is stored on the server under normal circumstances, for up to 48 hours. However, you can enable the cloud upload feature where once the report is generated, it is uploaded directly to your cloud provider (AWS, GCS, Azure) without storing it on the Hybiscus server. You can then only access the report in your cloud storage provider.
These features may indeed meet many if not all the HIPAA requirements, but as it appears to be a legal definition, this is not something, at least, now that we could claim to be compliant with. We'd need to go through the proper channels and processes before we can confidently make these claims. However, we'll definitely be looking into this to see what it entails. Nevertheless, thanks for bringing this issue to our attention!
Hi @shreemulay,
With regard to how data is processed, the JSON data you send is not stored on the server after the report has been processed. The PDF is stored on the server under normal circumstances, for up to 48 hours. However, you can enable the cloud upload feature where once the report is generated, it is uploaded directly to your cloud provider (AWS, GCS, Azure) without storing it on the Hybiscus server. You can then only access the report in your cloud storage provider.
These features may indeed meet many if not all the HIPAA requirements, but as it appears to be a legal definition, this is not something, at least, now that we could claim to be compliant with. We'd need to go through the proper channels and processes before we can confidently make these claims. However, we'll definitely be looking into this to see what it entails. Nevertheless, thanks for bringing this issue to our attention!
ilan22PLUSVerified purchaser
If it helps, we would love to see hipaa compliance in our company as well. I'm sure this should not be difficult if there is no data being stored on your severs (and cloud solutions like Google Drive and S3 are hipaa compliant).
Leo_PartnerSupportThanks for your reply, @ilan22!
We're still reviewing the necessary steps and all that is needed for full HIPAA compliance, so we appreciate your input! As this was only recently brought forth for us to further analyze, we thank you for your patience while we look into this matter and see what we can or can't do regarding that.
Thanks for your interest in Hybiscus!