Order appointments, browse prescriptions, track one’s lab results - these are only some opportunities healthcare providers give their patients after logging in to their applications. In order to do so, medical entities (hospitals, clinics, labs, pharmacies and more) build and protect powerful computer systems that collect and process patient information. The nature of such information is so sensitive that it requires special treatment with strict regulations concerning physical, administrative and technological safety.
That’s where HIPAA compliance comes to play.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (also known as HIPAA) is an American set of regulations every healthcare provider and any entity that collects and stores medical information has to follow. Those regulations are divided into several standards of rules regarding privacy, security and more.
Although born in the United States, HIPAA’s regulations are very similar to European GDPR restrictions that apply to data concerning health. That’s why medical entities across the world make an effort to comply with this American act.
When it comes to security rules, HIPAA compliance comes at three levels:
- Technical safeguards (protection of health data),
- Physical safeguards (medical device protection or media control),
- Administrative safeguards (e.g. access control, staff training).
Any team that develops HIPAA compliant software will have to deal with the Technical and Physical safeguards devised in the Security Rule.
Which healthcare applications need to follow HIPAA rules?
There are three criteria upon which we can identify whether an app needs to obey HIPAA regulations or not.
Covered entities enclose all those places and organisations that have direct access to sensitive data. These are, for example:
- entities that engage in health plans (e.g. insurance companies, corporations that organise health plans for their employees etc.),
- clearinghouses that work with healthcare entities,
- healthcare providers (hospitals, clinics, pharmacies, dentists, doctors) who collect any electronic information about their transactions with patients.
Business associates that collect and process medical information from covered entities are also subject to HIPAA regulations.
A Protected Healthcare Information (in short - PHI) record combines two dimensions: personal information and medical information. Only when those two go together, we can talk about PHI and the need for HIPAA compliance. The US Department of Health and Human Services lists 18 classes of information that, together with healthcare data, constitute what we call Protected Healthcare Information. These are:
- Geographical data (cities, streets and numbers, zip codes, coordinates etc. )
- Dates directly related to an individual (e.g. birth date, admission date, discharge date, date of death)
- Phone numbers
- Fax numbers
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers, including finger and voiceprints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Let me give you an example. Let’s say there is an educational application for doctors that help them learn about and diagnose rare cases by sharing and commenting on anonymous photos. An anonymous photo is a medical information. As long as there’s no personal information attached (name, address, IP address or any other from the above list), the app by definition does not store PHI.
However, if you’re able to track back to a particular patient using the information from the app, make sure your app, as well as the servers it’s hosted on, are HIPAA compliant.
Servers store, transmit or back up PHI and in this sense, they fall under HIPAA regulations. In fact, it doesn’t matter if your entity has their own servers, whether you use a cloud backup, a separate server to provide emails or host your website. Each of them must comply with HIPAA.
Of course, in case of using any third-party technology, you’re obliged to sign a business associate agreement that makes your provider equally responsible for HIPAA compliance.
How to make HIPAA compliant software?
The role of a HIPAA compliant technology is to safeguard the integrity, confidentiality and accessibility of health information. There are several dimensions of such protection against interception. We’ll follow them in this part of the article.
Integrity of ePHI
Integrity standards function as a means of providing integral, true and uncorrupted ePHI information. In this sense, they require mechanisms that prevent users from altering records or files, destroying or deleting them or simply duplicating information.
When looking for HIPAA compliant software, one must take into account methods such as double-keying, checksum verification or digital signatures.
Apart from them, a compliant entity should conduct regular safety audits and analyse application logs as well as reports that permit thorough risk assessment.
Confidentiality - data encryption
According to HIPAA, data should be encrypted at all stages - while at rest and while in transit.
Data at rest is data that is not actively moving from one device to another or from one network to another. Some examples of data at rest cover data stored locally on laptops, flashcards or hard drives. In the case of data at rest, protection comprises different at-rest encryption methods. While less vulnerable, data stored on hard drives are often considered more valuable than data in transit. When designing HIPAA compliant software, make sure your platforms (e.g. cloud solutions) use smooth encryption of data at rest.
Data in transit is data that is moving from one device to another or from one network to another. Such move happens either via the Internet or via private network and includes, for example, data transfer from a local storage device to the cloud. Before the data travels, it must be protected by a robust encryption algorithm and a secure connection must be used (using HTTPS, SSL, TLS, FTPS or other protocols).
Another way to protect data in transit is to require a password or a token to authenticate the transfer to a third party.
Sensitive data such as medical records, pre-existing disease or current health conditions simply can’t get into the wrong hands. Access control standards are there to make sure that only authorised personnel can read or edit ePHI records. Let’s take a look at accessibility features of a HIPAA compliant software.
Unique user login and a clear permission scheme are the ones to start with. Every user who has permission to access and communicate PHI must have a so-called unique user identifier that would be connected with corresponding action logs. The system should grant access to the user after identity verification. The latter can be provided by strong passwords, PIN codes, physical tokens or biometric data such as TouchID, FaceID or voice patterns.
Automatic logoff after a certain (short) span of inactivity prevents unauthorised users from accessing PHI when a device is left unattended.
Emergency access procedure in the case of power failure, cyberattack or other accidents that cause unexpected cutoff of the system. Examples of emergency access procedures may include offsite backup of ePHI or providing paper copies of critical procedures. What’s important is that covered entities and business associates have to think of and implement emergency access procedures before an emergency happens.
Why violating HIPAA rules does not pay off
With big power comes big responsibility. This quote popularised by Peter Parker (aka Spider-Man) seems to fit the heavy load of sensitive medical data perfectly.
Breaches and violations of HIPAA compliance may result in fines for non-compliance starting from 100 USD and ending up at even 50 000 USD per incident (up to 1.5 million USD per year per violation).
IBM data breach study from 2019 states that healthcare organisations carry the highest costs associated with data breaches. The average cost of a single breach concerning healthcare data was nearly 6.5 million USD in the last 9 years. That’s over 60% more than in the case of data breaches happening in other industries.
Enough to take HIPAA compliance very seriously.
Safe data save healthcare apps
The development of healthcare technologies is not going to cease any time soon. We track our health habits (mHealth), use wearables, exercise accompanied by applications. On the other hand, now, when the speed of digitisation is increasing, clinics introduce telemedicine services and laboratories give patients online access to lab results.
All the data we store in our mobile applications can be easily shared with our doctors and healthcare providers.
According to Edelman Trust Barometer, close to 50% of people believe that the application of technology to healthcare leads to better outcomes for patients. We can expect that the number of healthcare providers that leverage technology in order to make their services more accessible, faster and better suited for individual patients is going to significantly rise in the next five to ten years.
Technical, physical and administrative safeguards covered in HIPAA regulations make doctors, clinics or pharmacies owners lose sleep. No wonder. Fines for HIPAA violations can be severe and painful even for such a prosperous industry as healthcare.
Software development teams will have a big share in bringing technology to healthcare on a big scale. Naturally, building HIPAA compliant software will become the only way to ensure an adequate level of protection of sensitive healthcare information.
Legal restrictions might be burdensome but we always take them into consideration while building digital products and follow the changes in the law that can affect app development. Don’t hesitate to get in touch with our experts for more information about designing HIPAA compliant applications.