HIPAA Compliance with Codeium for Enterprises

Code completion tools are immensely valuable in accelerating software development and empowering engineers to be more effective. Offerings like Github Copilot for Business present challenges for organizations that care about HIPAA compliance—under Copilot for Business, the customer's code, which can contain protected health information, must be sent to Github over the public internet in order to function. In contrast, Codeium's enterprise offering can be run entirely on premise or in the customer's virtual private cloud (VPC) which gives organizations total control over their data and complete certainty that they are complying with HIPAA's requirements and protecting patient data.

Codeium is an AI-powered code completion tool helping developers from thousands of companies around the world. Codeium Enterprise helps software engineering teams be more productive, accelerating the software development life cycle, all while ensuring that customer data is never sent to a third party.

About HIPAA Compliance

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect the privacy and security of healthcare information. The act applies to healthcare providers, health plans, and healthcare clearinghouses, as well as to their business associates, which includes third-party software vendors.

The HIPAA act defines protected health information (PHI) as any individually identifiable health information, including demographic information, that relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. The act requires covered entities to secure PHI in all forms, including electronic, paper, or oral, and to prevent unauthorized access to or disclosure of PHI.

Third-party software vendors that provide services to covered entities, such as electronic health record (EHR) systems, billing systems, telemedicine platforms, and software-as-a-service (SaaS) solutions, are considered business associates under HIPAA. This means that they must comply with the HIPAA Security Rule, which requires the implementation of administrative, physical, and technical safeguards to protect PHI.

The administrative safeguards include policies and procedures for managing PHI, such as risk analysis and management, workforce training, and contingency planning. The physical safeguards include measures to protect the physical environment where PHI is stored, such as access controls and device and media controls. The technical safeguards include the use of secure technology, such as encryption and access controls, to protect PHI.

Third-party software vendors are also sometimes required to enter into business associate agreements (BAAs) with covered entities. A BAA is a contract that outlines the responsibilities of both the covered entity and the business associate with respect to PHI. The BAA must include provisions for the safeguarding of PHI, reporting of security incidents, and termination of the agreement.