HIPAA to Postgres

This page provides you with instructions on how to extract data from HIPAA and load it into PostgreSQL. (If this manual process sounds onerous, check out Stitch, which can do all the heavy lifting for you in just a few clicks.)

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) defines rules that American organizations must follow to securely handle and maintain Protected Health Information (PHI). To remain in compliance, organizations are required to have a signed Business Associate Agreement (BAA) from any partner organization that creates, receives, maintains, or transmits PHI. The partner must ensure that it will safeguard the PHI that passes through its systems. Businesses also have to meet a long checklist of compliance rules and practices.

What is PostgreSQL?

PostgreSQL, also known as Postgres, calls itself "the world's most advanced open source database." The popular object-relational database management system (ORDBMS) offers enterprise-grade features with a strong emphasis on extensibility and standards compliance.

PostgreSQL runs on all major operating systems, including Linux, Unix, and Windows. It's open source, fully ACID-compliant, and has full support for foreign keys, joins, views, triggers, and stored procedures in multiple languages. PostgreSQL is often the best back-end database for web systems and software tools. It's available in cloud-based deployments by most major cloud vendors. And since its syntax forms the basis for querying Amazon Redshift, which makes migration between the two systems relatively painless, Postgres a good stepping-stone for developers who may later use Redshift's data warehouse platform.

Getting HIPAA data

You migrate PHI just as you would any other data, but you must stay cognizant of HIPAA regulations. No one but you and the data source can handle the data unless you have a BAA in place with them.

You can use any methods your data provider offers to extract data from their service. Many cloud-based data sources provide APIs that expose data to programmatic retrieval. Others allow you to set up webhooks to push event data to requesters. For data that lives in a database, you can use SELECT statements or a utility that does a mass dump of the data you specify.

Loading data into Postgres

Postgres provides the CREATE TABLE statement as a means to create a new database table that can receive all of the data you've identified. Once your table exists, there are a number of methods available for loading in data. The best tool for the job is variable based on the quantity of data you have and how frequently you will load in new data.

The most basic tactic simply involves running INSERT queries against the database directly. These queries are the standard SQL method for getting data added. You can find instructions on how to use INSERT, REPLACE, and other related queries in the Postgres docs.

If you prefer to pursue bulk insertions of data due to high volume or other reasons, there are another family of tools and commands. The COPY is ideal for this scenario, as it allows you to load large sets of data into Postgres without needing to run a series of INSERT statements. Documentation can be found on this page in the Postgres documentation.

Keeping HIPAA data up to date

Once you've set up your data pipeline to your HIPAA data source, you can relax – as long as nothing changes. You have to keep an eye on any modifications that your sources make to the data they deliver. You should also watch out for cases where your script doesn't recognize a new data type. And since you'll be responsible for maintaining your script, every time your users want slightly different information, you'll have to modify the script. Keep in mind that HIPAA is all about rules and compliance, so you'll also have to know what HIPAA permits and proscribes, as will anyone else who works on the script.

Other data warehouse options

PostgreSQL is great, but sometimes you need to optimize for different things when you're choosing a data warehouse. Some folks choose to go with Amazon Redshift, Google BigQuery, or Snowflake, which are RDBMSes that use similar SQL syntax, or Panoply, which works with Redshift instances. If you're interested in seeing the relevant steps for loading data into one of these platforms, check out To Redshift, To BigQuery, To Snowflake, and To Panoply.

Easier and faster alternatives

If all this sounds a bit overwhelming, don’t be alarmed. If you have all the skills necessary to go through this process, chances are building and maintaining a script like this isn’t a very high-leverage use of your time.

Thankfully, products like Stitch were built to solve this problem automatically. With just a few clicks, Stitch starts extracting your HIPAA data via the API, structuring it in a way that is optimized for analysis, and inserting that data into your PostgreSQL data warehouse.