Frequently Asked Questions
Who is behind this?
Catalyze, Inc., healthcare's trusted HIPAA-compliant platform.
We help healthcare companies who handle PHI, both business associates and covered entities, maintain compliance with our Platform as a Service, Mobile Backend as a Service, and managed data integration services. Think Heroku and Parse for healthcare. In addition, we also provide HL7 Integration for those who need to communicate with EHR vendors like Epic or Cerner.
Why open source these policies?
HIPAA compliance has two halves. The first half includes all technical guidelines, both physical and digital. Encryption, logging, monitoring, backup—these are just a few examples of HIPAA technical requirements. The Catalyze platform addresses the technical requirements of HIPAA for our customers.
The second half of HIPAA is focused on administrative and organizational activities. This includes signing Business Associate Agreements (BAAs), risk management procedures, and policies for training, among other things. Crafting company policies that align with HIPAA administrative guidelines are straightforward, but an immense burden.
When we were creating our policies, we found several templates for healthcare providers, but nothing for modern health technology companies. We spent a lot of time and effort writing our policies, then adapting them to meet the demands of external audits. We don't want people to reinvent the wheel; trust us, it's not fun. We also feel a broader community can improve these polices over time, making them better for everybody.
By open sourcing our own company policies, we hope other healthcare companies will benefit. It aligns with our company mission: to help you focus on fixing healthcare without spending all of your time on HIPAA.
What license are the policies?
All company policies are licensed under CC BY-SA 4.0. You can edit and use as you wish for anything other than commercial use.
Can I change the name Catalyze in the policies and say I'm HIPAA compliant?
You can say what you want. They are open source and you can use as you see fit. But, we don't recommend that. We are not saying adopt these policies and be HIPAA compliant. We open sourced these policies to help modern healthcare companies. They are the starting point that we wish we had at Catalyze. We've implemented technical controls and organizational procedures specifically based on these policies (ex: we say we log certain events in our policies, so we log those events using our logging stack). We encourage you to customize the policies to meet your needs and hope that makes HIPAA easier for you.
Okay. So now what should I do?
As a company who handles PHI, it's critical you adopt and maintain your own HIPAA policies. To make use of our policies, we recommend the following steps.
- Read through all the enclosed policies to get an understanding of the structure.
- Download and adjust the policies to meet the specific needs of your organization.
- Comb through the policies for mentions of Catalyze or our business and change to appropriate references to your company.
- Implement internal procedures and technical controls to assure you're inline with the policies you are adopting. In the case of Catalyze customers, certain policies can be adopted in their entirety as Catalyze has implemented procedures and technical controls that our customers inherit.
- Publish your policies in a publicly available location. The files are markdown, so you may need to convert to HTML if you don't have a publishing platform capable of markdown format. You can either create an index page linking to each individual policy, or create a single page listing all the policies in line, much like we did. You can certainly choose to keep you policies private, but we have discovered that making our policies public helps us when we talk to large healthcare enterprises.
- Use Git for version control. We've discovered it's a great way to maintain documentation for audits.