Designing a HIPAA-compliant infrastructure for a startup in the mental health industry

Summary

A mental health startup needed HIPAA-compliant infrastructure for their healthcare referral platform. Quarry designed an AWS-based architecture with isolated environments, comprehensive logging, and integrated services. This plan ensures data security, regulatory compliance, and scalability.

Team
Engineering
Team members / roles
Puneet Maloo / Principal Engineer
Brendan Binger / Solutions Architect
Released
November 2023
Duration
2 weeks
Data08.09.24

The Challenge: 

A mental health startup needed to design a highly secure and HIPAA-compliant infrastructure for their multi-tenant healthcare application. 

The challenge for Quarry was to create an architecture that would:

  • Ensure HIPAA compliance
  • Provide robust security measures
  • Support multiple user types (clinician therapists, referring therapists, and patients)
  • Allow for future scalability
  • Minimize legal exposure and mitigate risk

Solution: 

Quarry designed a comprehensive HIPAA-compliant architecture leveraging AWS services. 

We began with virtual private clouds, essentially isolated environments for each part of the system. This separation adds a strong layer of security, keeping user ePHI isolated to only production environments and further isolated to specific services within production to mitigate the risk of leakage.

Logging is a crucial part of this setup. We implemented CloudWatch and CloudTrail, with flow logs on every VPC. This gives us a detailed record of all activity that establishes a chain of custody for all data as well as a log of all system access. These are vital requirements for HIPAA compliance. If there’s ever an issue, we can trace exactly what happened and when, plus be proactively notified in the event of unexpected access to ePHI.

For data storage and backup–S3 buckets. Access control is managed through IAM and SNS, ensuring only authorized users can access specific parts of the system, meeting the minimum-necessary access requirement of HIPAA

The main application is designed to handle three types of users: clinician therapists, referring therapists, and patients. It’s a multi-tenant setup, but each group’s data is kept separate and secure.

We’ve integrated some essential services too. There’s Storyblok for content management, Twilio for SMS, and SendGrid for emails. We also developed a Facebook app that can post anonymous referrals to therapist groups.

Finally, we created a separate staging environment that mirrors the production setup. This allows for thorough testing before any changes go live.

The Results: 

While the full implementation is pending future funding, the infrastructure design itself has been a significant deliverable, offering the startup:

  • A clear roadmap for HIPAA-compliant infrastructure
  • Significantly reduced legal exposure and risk
  • A scalable architecture supporting future growth
  • Enhanced data security and privacy for all user types
  • Comprehensive audit capabilities for potential breach investigations
  • A foundation for building trust with healthcare providers and patients


The design’s focus on isolating services, maintaining detailed logs, and implementing multi-layered security measures positions the startup to confidently expand its services while maintaining strict HIPAA compliance.

Next Steps: 

As the startup secures additional funding, the next phase will involve implementing this architecture, with a particular focus on developing the next-generation web application. Stay tuned for the final product!

Ready to make progress on your project?

Quarry is a bolt-on product and technology department for your organization dedicated to crafting exceptional digital products and experiences that drive measurable results. 

Schedule your call now to kickstart your project and see results.

Make the connection

Discover how Quarry's unique blend of design, technology, strategy, service, and economy can grow your digital product.

Learn More