Axiom and HIPAA

Axiom is HIPAA compliant, which means we can enter into Business Associate Agreements (BAA) with healthcare providers, insurers, pharma and health research firms, and service providers who work with protected health information (PHI).

What HIPAA compliance is

The Health Insurance Portability and Accountability Act passed by Congress in 1996 was developed to make data more sharable among providers and plans. The P is for Portability, not Privacy as is often mistaken. But HIPAA contains among its many provisions a directive for the US Department of Health and Human Services (HHS) to issue both a Privacy Rule and a Security Rule that dictate the handling and disclosure of protected health information.

These rules gave companies until 2003-2005 to comply. In 2009, Congress passed another act instructing HHS to add the Breach Notification Rule, which specifies how organizations must report any breach of PHI to the Secretary of Health and Human Services.

Unlike ISO 27001 or SOC 2 Type II, HIPAA compliance isn’t determined by a certification process. Compliance is self-reported, managed by the company’s designated HIPAA compliance officer, and demonstrated by the ability to pass an audit by the Office of Civil Rights should the OCR conduct one.

What we do to comply

To be deemed HIPAA compliant, a software company must meet specific requirements in these rules:

1. Appoint a HIPAA compliance officer or team
2. Implement safeguards
   • Administrative: Policies and procedures to protect PHI
   • Physical: Measures to protect physical access to PHI
   • Technical: Technology to protect electronic PHI
3. Implement access controls for PHI
4. Use encryption for data in transit and at rest
5. Maintain documentation of all privacy and security practices
6. Train employees on HIPAA regulations and company policies
7. Establish a breach notification process
8. Develop and implement a disaster recovery plan
9. Sign Business Associate Agreements (BAAs) with partners who handle PHI
10. Conduct risk assessments regularly

Who decides compliance?

There’s no official HIPAA certification body. Compliance is primarily self-attested, but several entities play roles in oversight:

• The Office for Civil Rights (OCR) within HHS:
  • Enforces HIPAA rules
  • Conducts audits
  • Investigates complaints and data breaches
• Third-party auditors:
  • Can provide assessments and attestations
  • Often used by companies to demonstrate compliance to clients
• Covered entities (healthcare providers, plans, etc.):
  • May require proof of compliance from software vendors
• Business associates:
  • Must ensure their own compliance
  • May be audited by covered entities they work with

While there’s no official certification, companies can:

• Conduct internal audits
• Undergo third-party assessments
• Obtain related certifications (e.g., SOC 2, ISO 27001)
• Document their compliance efforts thoroughly

Ultimately, true compliance is demonstrated through ongoing adherence to HIPAA rules and the ability to pass an OCR audit if one occurs. At Axiom, we’re as committed to compliance as we are to wringing every last byte of performance out of our code. Our customers should be able to see 100% of their event data, while keeping PHI private and secure.

Questions about our HIPAA compliance?

Contact us at sales@axiom.co to learn more about how we keep PHI safe for BAA partners and still let them observe every event. We’d love to talk to you!