Committing to safeguard health data with HIPAA

No form of data is more personal, more confidential or more sensitive than data that relates to people’s health. That’s why, in any country or legal jurisdiction, healthcare companies, researchers and pharmaceutical companies must meet the strictest standards on data privacy and security. It’s also why DeepL’s announcement last month that we have achieved compliance with the United States Health Insurance Portability and Accountability Act (HIPAA) is so significant.

What is HIPAA?

HIPAA is a US federal law that protects sensitive medical information, and identifies organizations that are trusted partners for those handling such data. It’s unique as a regulatory requirement because it applies specifically to healthcare organizations and those working with them. This is different to the other certifications and standards that DeepL holds for data privacy and security, like ISO 27001, SOC 2 Type 2 and GDPR, which provide broad frameworks to cover a range of different industries.

Because it’s a specialized piece of legislation, HIPAA goes into a greater level of detail regarding the specific safeguards that should be applied to the most sensitive data. It mandates exactly what businesses need to do, and it backs this up with hefty fines and the potential of criminal charges for organizations that fail to comply with the standards they’ve agreed to. HIPAA covers every aspect of companies’ responsibilities towards Protected Health Information (PHI) – and because the requirements around PHI are so strict, compliance with HIPAA sends a powerful signal about how complete an organization’s data, privacy and security policies are.

How does HIPAA help DeepL customers?

Along with our existing standards and certifications, such as ISO27001, SOC 2 Type 2 and GDPR, HIPAA certification assures our customers about the administrative, physical and technical safeguards that are in place to protect health data. These include:

• Security management processes and audit controls that record all activity, and monitor for security violations and any attempt to access our systems without authorization. DeepL uses a Security Information and Event Management system (SIEM) to trigger immediate alerts of any suspicious activity.
• Workforce security measures that ensure only authorized Deepl employees have access to PHI. We use Role-Based Access Control (RBAC) so that only employees who need access to healthcare data for specific reasons are able to access it. Our systems revoke access when anything changes or when people leave. Every DeepL employee undergoes security training so they know the systems to follow, are aware of threats, and can alert us about any security incidents.
• Strict physical access controls for our data centers, including electronic key card systems that mean only authorized employees can access the areas where PHI data is stored.
• Controls over devices that can be used to access PHI. DeepL workstations lock automatically after 10 minutes of inactivity, and we have a strict policy of employees logging off and securing devices when they leave their desks. We use asset management software to track all of the devices that store PHI, and ensure all of these are encrypted with highly secure AES-256 encryption. We have strict procedures for disposing and re-using devices that include certified data destruction services.
• Access control technologies such as Multi Factor Authentication (MFA), unique user IDs for each employee and a principle of least privilege, which means that employees are only granted the minimum security access they need to do their jobs.
• Tools and policies to protect data integrity, ensuring that only authorized people can update data and that all changes are logged. We regularly test our backup systems to ensure that data can always be restored without corruption.
• Multiple layers of protection for data while it’s being transmitted, including encryption of all PHI being transferred to and from DeepL using the TLS 1.2 encryption protocol, as well as TLS 1.3, which offers better security, faster performance, and a simplified protocol. By removing insecure features and requiring modern cryptographic practices, TLS 1.3 significantly reduces vulnerabilities and is the recommended version for secure communications. DeepL also uses authentication, encryption and rate-limiting to secure our APIs. 

Our commitments under HIPAA

Most of these safeguards aren’t unique to HIPAA. They’re already required, audited and accredited through our other data security and privacy standards. However, complying with HIPAA means making some additional commitments to our customers. 

HIPAA includes a Privacy Rule that gives patients the right to access, amend and restrict any data related to them. The detailed auditing, logging and data encryption processes that DeepL follows help to ensure that they’re able to do this. HIPAA also commits us to notifying any impacted parties of a data breach, and to notify the US government and media, as well. Our SIEM and other security processes make these protocols easy to meet. 

The final big difference between HIPAA and other data privacy and security standards is the way that it’s enforced. Being accredited by ISO 27001 and SOC 2 Type 2 involves undergoing external audits that confirm your business meets the requirements set out in these standards. The responsibility for confirming how secure and compliant your systems are sits with the bodies who issue the accreditation. 

HIPAA is different. It’s down to organizations themselves to declare that they are compliant, and to take on the legal responsibility for ensuring they continuously measure up to the HIPAA standards. Given the force of the law behind HIPAA, that’s a very serious commitment to make. And it’s a strong signal of just how stringent DeepL’s data privacy and security systems are that we’re able to make it.

If you are a healthcare professional and would like to learn more about our solutions for the healthcare industry, read more and get in touch!