Designed to meet growing demand from companies and organizations in the healthcare industry, Caspio HIPAA Enterprise gives customers the ability to build HIPAA-compliant applications much more efficiently than if they developed them from scratch.
One of the first customers using Caspio HIPAA Enterprise is health maintenance organization Florida Healthcare Plus. It used Caspio's new platform to develop a system that automates the Medicare and Medicaid enrollment process. Other types of applications Caspio is targeting include patient portals, health insurance exchanges, medical device trackers and clinical trial databases.
As Caspio CEO Frank Zamani observed, "The healthcare market presents a tremendous challenge to IT departments and application developers who must ensure their solutions are fully compliant with the industry’s strict regulatory requirements." For customers like Florida Healthcare Plus, which was able to launch the first phase of its application in just two weeks, being able to build on an existing HIPAA-compliant platform was an attractive proposition.
To ensure compliance with HIPAA, which has strict requirements around data security and access controls, Caspio built a new infrastructure for Caspio HIPAA Enterprise, one that is physically distinct from its existing platform. All data submitted to Caspio HIPAA Enterprise is encrypted in transit and when it is stored. Robust user management controls ensure that data is only accessed by authorized individuals and applications, and all data accesses are logged for audit purposes.
Enforcing HIPAA Compliance Through API Design
While Caspio's offerings give nontechnical business users the tools they need to build database-driven web apps, Caspio also offers an API. Ioannis Kritikopoulos, Caspio's VP of engineering and operations, says, "Developers can use the API to leverage the back-end database alongside nondevelopers using Caspio’s point-and-click wizards."
Not surprisingly, API availability extends to Caspio HIPAA Enterprise, but to prevent API-based access from breaking HIPAA compliance, Caspio had to design its API to ensure that developers using it do so in ways consistent with HIPAA requirements. "Any data access or transfer through [the Caspio HIPAA Enterprise] APIs will be forced through HTTPS and recorded in the audit trail," Kritikopoulos told me.
This highlights an important point for companies developing APIs. While many API design best practices focus on developer experience and adherence to technical standards and principles (like HATEOAS), it is also important to look at whether an API design includes constraints and defaults that force compliance with intended usage patterns. This is, of course, crucial when building APIs for which usage patterns need to be compliant with HIPAA and similarly strict standards.
As Kritikopoulos explained:
The challenges in designing an API for HIPAA compliance are actually more procedural than technical. Specifically, you have to ensure that all the procedures specified in your HIPAA documentation are followed, such as the API profile registration, API key access controls and privilege management accessing the database. In addition, you have to ensure that an audit trail has been implemented in such a way that traces every interaction with the database at all levels so that API calls are logged appropriately for HIPAA compliance.
The good news is that thoughtful, compliance-aware API design does not have to add burdensome complexity. In Caspio's case, forcing API requests to be sent over HTTPS, keeping detailed request logs and making sure API access controls are consistent with the access control schemes employed through other interfaces were all relatively straightforward implementation details that keep API usage compliant without harming developer experience.