Arize Receives Certifications Validating Health Information Security for HIPAA Compliance
Artificial intelligence is transforming modern healthcare. AI-focused healthcare startups raised over $12 billion last year, delivering everything from life-saving interventions in cancer care to reductions in claims fraud. Large insurers, providers, and pharmaceutical companies are also investing in machine learning to improve health outcomes and the overall patient experience. Altogether, Accenture predicts that deployed AI may save the healthcare industry over $150 billion by 2026.
Despite this early progress, the industry still faces formidable challenges in embracing AI at scale. Building, deploying, and maintaining models (i.e. NLP models scanning electronic medical records for insights) is uniquely challenging in healthcare. According to a recent survey, over one in four (27.3%) machine learning engineers and data scientists in healthcare say it takes their team a week or more to detect and fix an issue with a model in production – more than most other industries surveyed. These delays and blindspots can be costly.
Arize’s New Certifications
In order to detect and resolve ML model issues faster, an increasing number of healthcare organizations are implementing Arize for ML observability. To give these companies peace of mind and prove compliance with applicable standards, Arize recently received certifications from an independent auditor validating that the company’s health information security program is fairly represented and includes the essential elements of the U.S. Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Specifically, the independent auditor verified – via a Type 1 Attestation: AT-C 105 and AT-C 205 – that applicable requirements under both laws can be met if controls at Arize are suitably designed. These healthcare-specific certifications supplement Arize’s broader SOC 2 Type II compliance, which the company received earlier this year.
Background on HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information or PHI”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”
There are four types of covered entities under HIPAA: healthcare providers, health plans, healthcare clearinghouses, and business associates. Arize is considered a business associate, which by definition is a person or organization (other than a member of a covered entity’s workforce) using individually identifiable health information to perform or provide functions, activities, or services for a covered entity. In Arize’s case, these functions and services include things like data analysis and utilization review.
Arize’s Approach To Protecting Customer Data
At Arize, we believe that safeguarding data is a core function – fundamental to earning and maintaining the trust of users, customers, and partners. That’s especially true in healthcare, which is why Arize is rolling out internal training on the importance of HIPAA.
As always, security for protected health information at Arize rests on three pillars:
- Auditability ensures that Arize always knows what happens on company systems and can fill in the key details to facilitate both internal and third party investigations.
- Prevention is about observing company systems to consistently identify weak points to add protections and controls to ensure protected health information is secure.
- Preparedness is also critical in a world where healthcare organizations are often a target of hackers, and HIPAA violations even more costly in the wake of the HITECH Act. Arize regularly simulates a variety of scenarios, fine-tuning written plans and processes for incident response.