Idyl E3 in a HIPAA Environment

The processing of electronic medical records is a common usage scenario for Idyl E3 given its abilities to identify patients, doctors, and medical facilities in natural language text. In these environments we must adhere to HIPAA regulations and this page was created to help you with your deployment of Idyl E3 in a HIPAA environment.

Data Encryption

An important requirement imposed by HIPAA is the encryption of data in motion and data at rest. To encrypt data in motion, Idyl E3 can be configured to only accept API requests over SSL. (Refer to Idyl E3’s documentation for the configuration steps or contact us.) This ensures that all input text to Idyl E3 and all returned entities are transmitted over a secure connection.

For encrypting data at rest, Idyl E3 does not store any of the input text or entities. Custom entity models are encrypted using 256-bit encryption. (As of Idyl E3 2.2.0 a non-empty encryption key is required when creating a custom model.) Some Idyl E3 plugins may provide entity persistence or publishing capabilities. It is important you consider the impact and compatibility of these plugins for your environment as some plugins may not be usable. For instance, the AWS Kinesis Firehose Entity Publisher plugin is not usable for HIPAA data because the AWS Kinesis service is not HIPAA compliant.

Cloud Hosting Considerations

When Idyl E3 is used in a cloud environment there may be additional restrictions. For instance, in AWS each Idyl E3 instance must be a dedicated instance. The Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper describes the restrictions per AWS service. For Microsoft Azure refer to the Microsoft Trust Center’s HIPAA and the HITECH Act resources.