When designing health care applications, most developers would love a succinct list of features included HIPAA-compliant software. There are a plethora of web sites if you search for HIPAA requirements. Most of these provide information for health care providers and health insurance claim processors. You can spend hours combing through federal registers (CFR) and government websites to find information relevant to HIPAA-compliant software development.
We’ve combed through this information and compiled a list of resources to help you start developing HIPAA-compliant software.
The health care market
According to Allied Market Research, “The U.S. health care IT market was valued at $97 million in 2020, and is projected to reach $344 Million by 2030.”
The Health Information Systems industry contains large and powerful players but there is room for smaller development shops as well. Development shops that embrace the ominous HIPAA rules have an opportunity to share in this market by developing health care projects passed over by the bigger shops.
HIPAA background
HIPAA rules are designed to protect the privacy of medical records in order to protect health information; the goal is to discourage discrimination based on medical history.
Since 2014, the Office of Civil Rights has the authority to audit health care organizations and to levy fines on organizations that do not comply with HIPAA rules. The office sports a reporting mechanism whereby individuals can report security breaches. These reports may trigger audits to the organization where the incident occurred.
Why should I care about HIPAA-compliant software?
As a product owner, why should I care about HIPAA? Do the regulations apply to entities that are not health care providers or claims processors? There are two reasons to care:
1. Your responsibility to protect patient data
HIPAA rules state that all subcontractors of a health care organization sign a Business Associate Agreement (BAA). The BAA places liability on the subcontractor to protect and secure all patient data that the subcontractor may encounter while executing on contracted activities. If you are developing, hosting, maintaining or supporting a health care application then you are liable for any breaches of protected health information (PHI) that concern your product, database or server.
As a subcontractor, you are required to perform a security risk audit on your company and health care product. You are required to create and maintain documentation on who is responsible for HIPAA compliance, how employees are screened before hiring, how information is secured, escalation procedures should a breach occur, how physical devices are secured, maintained and discarded, your termination procedures and so on.
2. Your responsibility to create secure health care applications
With the proliferation of cloud applications and mobile devices, security for health care applications has become more complex. Gone are the days where a dedicated mainframe, housed in the health care facility, with dedicated terminals, ran a health information system. Today, many health care applications are hosted on cloud servers and can be accessed by desktop, laptop, tablet and phone. This presents a variety of entry points for an intentional hacker.
The basics of HIPAA-compliant software for developers
HIPAA security requirements safeguard three areas: administrative, physical and access control. Here is a brief breakdown of each area:
Administrative safeguards involve
- Application access authorization
- Application log in monitoring
- Application password management
- Data backup
- Disaster recovery
- Emergency mode operations
Physical safeguards
- Facility security
- Data backup and storage
- Device security
Access control
- Unique user identification
- Automatic log off
- Encryption/Decryption
- Limit data access to a “need to know” policy
Government agencies involved with HIPAA/HITECH
Several agencies oversee or contribute to HIPAA compliance. Each has a role to play:
Centers for Medicare and Medicaid Services: Oversees HIPAA and houses the regulations and guidance information for HIPAA.
Office for Civil Rights: The CMS has delegated authority to OCR to enforce HIPAA rules and oversee health information privacy in the Office for Civil Rights under the Department of Health and Human Services.
National Institute of Standards and Technology: Creates documents to show how to implement HIPAA and perform security audits.
Valuable HIPAA resources
While there are many fine organizations to help you organize around HIPAA, it’s helpful to go to the source or credible trade organizations. Here is a list of useful links and resources:
Summary of the HIPAA Security Rule: Shows the key elements of the Security Rule including the safeguards that must be in place.
Health Information Technology: Collection, User and Disclosure Limitation Principle and FAQs. Shows when PHI can be shared without a BAA.
National Institutes of Health Privacy Rule and Research: Specifies which PHI data are protected.
National Institute of Standards and Technology NIST 800-30 Guide for Conducting Risk Assessments: How to create a risk assessment to meet the conditions of your BAA.
Government incentives and penalties incentivize health care organizations to implement IT solutions that keep populations, healthy while at the same time protect their patients’ health information. Educate your organization on HIPAA rules in order to secure Health Information System customers.
