Juno Diagnostics revolutionized genetic testing for expectant individuals by offering a convenient, at-home blood sample collection method. Utilizing a simple device that required just a finger prick, patients could easily collect their blood samples. These samples were then securely shipped to a laboratory in California for analysis. The results were provided directly to both the patient and the ordering healthcare provider, all within a fully HIPAA-compliant framework, ensuring privacy and security.

‍

Problem Statement

Juno aimed to create an unprecedented patient experience, blending a laboratory results interface with e-learning and social media elements. They offered a range of tests, some recreational and available without a prescription, and others that necessitated a healthcare provider's prescription. While recreational tests could be directly marketed to patients, this was not feasible for those requiring provider orders. Regardless of the test type, it was imperative for all patient information to be managed in strict adherence to HIPAA compliance standards.

‍

‍

Solution

The platform was developed using a microservices architecture, employing Java and Python for its implementation. For data management, we utilized Postgres databases for transactional data and MongoDB for handling specific raw JSON documents. These services were integrated through AWS Gateway and operated entirely within the AWS ecosystem, a HIPAA-certified cloud environment. AWS also provided a Business Associate Addendum (BAA) as part of our operating agreement, ensuring compliance and security from the infrastructure provider.

The API layer featured robust security measures, including short-lived access tokens that necessitated re-authentication at each login and allowed user browsing for up to an hour with automatic token refresh. We enforced HTTPS for all inbound traffic and ensured encryption for all internal traffic within AWS. Additionally, AWS Web Application Firewall (WAF) was implemented to regulate web traffic and enhance security.

At the data layer, we implemented multiple encryption layers: database encryption for storage and backups, cell-level encryption for most user and result data, and comprehensive encryption for all inbound and outbound traffic. To further bolster security, we adhered to strict least-access principles for all production users, effectively preventing unauthorized data access and viewing.

‍

‍

We conducted thorough audits of downstream systems to verify their compliance with HIPAA regulations and to determine their specific data requirements. This process led to the selection of Salesforce Health Cloud as our primary CRM and patient engagement tool. It also included integrating with billing, data science, lab management systems, and other Electronic Health Record (EHR) systems, such as those used in provider offices.

To ensure robust data security, all data transmissions to these downstream systems were encrypted and tokenized, safeguarding the data during transit. Additionally, we implemented advanced auditing and monitoring tools to meticulously track data access. These tools were instrumental in documenting usage and providing immediate notifications in cases of unauthorized access. We also maintained stringent logging and auditing protocols for all deployments and changes to the environment configuration, ensuring full compliance and traceability.

‍

Challenges

Navigating the twin challenges of staffing and training presented a significant learning curve, particularly in the realm of HIPAA compliance. As someone new to these regulations, I dedicated myself to a thorough study and sought guidance from knowledgeable consultants to devise an effective strategy. Additionally, it was crucial to recruit skilled professionals who could offer recommendations, implement solutions, and conduct audits, all while adhering to the tight budget constraints typical of a startup.

This financial limitation meant we couldn't bring on board as many staff members as we ideally wanted, which inevitably led to delays in deployment schedules. Despite these obstacles, we remained committed to finding the most efficient and effective solutions within our means, ensuring both compliance and progress.

‍

Tools

• IntelliJ
• AWS (various)
• Java/Spring
• Python
• REST
• Miro

‍