How to achieve HIPAA compliance with Pusher Channels

Over the last few years the healthcare industry has gone through a massive shift toward online services.

As broadband and mobile infrastructure evolved, fresh opportunities for providers opened up. Take video calls as an example. They have become a part of our daily lives, but ten years ago the technology was only getting off the ground. Nowadays, with video, it’s possible for a patient to consult their doctor without leaving their home.

Cloud service providers have also significantly lowered the barrier to entry for new businesses. Companies don’t need to worry about costs and security of managing data centers anymore. SaaS services also provide many products that can handle non-core functionality for applications running in the cloud.

While online healthcare services bring life-changing benefits to many people, they also pose serious privacy challenges. Patients trust their providers with sensitive information and having that data leaked could cause them serious problems. Governments around the world have taken that issue seriously and enacted several legislations and standards to protect their citizens. In the US, the privacy concerns in healthcare are covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Pusher Channels powers several healthcare applications, and with the recent release of end-to-end encryption we’ve made it even easier to achieve HIPAA compliance.

HIPAA and third-party vendors

Healthcare providers in the US must ensure that all vendors used within their services are HIPAA compliant. It doesn’t matter what the service does–whether it’s a diagnosis device, a task management system, or a SaaS product–the rules apply.

For services like Pusher Channels, the key is the HIPAA Privacy Rule that regulates the use of protected health information (PHI). Any service that handles PHI needs to follow strict operational guidelines. Without getting into too much detail, there are three ways to comply with HIPAA:

1. don’t transfer PHI,
2. sign a business associate agreement,
3. use the conduit exception if possible.

In situations when the vendor doesn’t need PHI to provide their services, sometimes the best solution is not to transmit that information at all.

Business associate agreements, necessary for services that handle PHI, carry their own complications. Vendors not only have to take additional care with processing information, but they also carry liabilities for breaches. Because of that, business associate agreements incur additional costs on both parties.

The conduit exception covers vendors that handle PHI in a transient way and don’t have access to the information. A classic example of such vendor is the US Postal Service. Healthcare providers don’t need to sign business associate agreements with vendors that fall under the conduit exception.

Using Channels for HIPAA applications

In the past, we recommended using a signalling approach. Whenever there’s an update available for a user, the service sends an event to the client via Channels with a signal that new data is available. Crucially, those signals don’t contain any PHI. After receiving a signal, the client fetches the protected information from another HIPAA-compliant system. This way, it’s possible to use Channels in a HIPAA-compliant way without signing a business associate agreement with Pusher.

Signalling is not a silver bullet, as it incurs latency and can sometimes add complexity to the application. Some of Pusher’s customers preferred the signalling approach, but many others were unhappy with added indirection and wanted to use Channels to transmit PHI directly to their clients, which is why we have recently released the end-to-end encryption feature.

With the end-to-end encryption enabled, the application can include PHI in event payloads for private channels. As only your application manages the encryption keys, Pusher has no access to data included in encrypted events. Because Pusher only handles the data for transmission, Pusher Channels with end-to-end encryption is considered a conduit within the HIPAA context.

Reducing risks even further

Not only does end-to-end encryption solve the problem with business associate agreements, it also significantly reduces the risk profile of your application.

Despite all efforts by vendors to protect PHI, as long as the information is transmitted or stored in an accessible way, there is always a non-zero risk of a data breach. Businesses mitigate that by following secure development practices and enforcing security policies. Majority of companies also insure themselves against those risks. Regardless of the mitigations, a data breach always has a significant impact on the provider, whether it’s financial, legal or reputational damage.

Having your data transmitted in an encrypted form, where only you as a provider have access to encryption keys, takes the vendor out of the risk equation. Even if they somehow get breached, the attacker won’t be able to do anything with obtained data. For companies that handle sensitive data, this could be a major risk reduction.

Providing more connected experiences for healthcare applications is an important step to making healthcare more accessible and effective. We’re excited to support that vision by making it easier to build HIPAA-compliant applications with end-to-end encryption in Pusher Channels.

End-to-end encryption is one of the first steps we’re taking to ensure your data is safe with Pusher. Over the next few months we will continue investing more into security, both within our systems and in features provided by our products. If you have questions or concerns related to security, we’d love to hear your feedback.

For more details be sure to check out the announcement blog post and docs.