When designing a healthcare application most developers would love a succinct list of features included a HIPAA-compliant application. A plethora of web sites is returned when searching for HIPAA requirements. Most of the listed sites target healthcare providers and health insurance claim processors. A person can spend hours combing through federal registers (CFR) and pages of documents on government web sites to find information specific to the software developer.
This article attempts to provide a little background on HIPAA and save time with a list of helpful resources to get started.
The healthcare market
According to Allied Market Research, “The U.S. healthcare IT market was valued at $97 million in 2020, and is projected to reach $344 Million by 2030.”
The Health Information Systems industry contains large and powerful players but there is room for smaller development shops as well. Development shops that embrace the ominous HIPAA rules have an opportunity to share in this market by developing healthcare projects passed over by the bigger shops.
HIPAA background
HIPAA rules are designed to protect the privacy of medical records in order to protect health information; the goal is to discourage discrimination based on medical history.
Since 2014, the Office of Civil Rights has the authority to audit healthcare organizations and to levy fines on organizations that do not comply with HIPAA rules. The office sports a reporting mechanism whereby individuals can report security breaches. These reports may trigger audits to the organization where the incident occurred.
Why should I care?
As a product owner why should I care about HIPAA? Do the regulations apply to entities that are not healthcare providers or claims processors? There are two reasons to care:
1. Your responsibility to protect patient data
HIPAA rules state that all sub-contractors of a health care organization sign a Business Associate Agreement (BAA). The BAA places liability on the sub-contractor to protect and secure all patient data that the sub-contractor may encounter while executing on contracted activities. If you are developing, hosting, maintaining or supporting a health care application then you are liable for any breaches of protected health information (PHI) that concern your product, database or server.
As a sub-contractor you are required to perform a security risk audit on your company and healthcare product. You are required to create and maintain documentation on who is responsible for HIPAA compliance, how employees are screened before hiring, how information is secured, escalation procedures should a breach occur, how physical devices are secured, maintained and discarded, your termination procedures and so on.
2. Your responsibility to create secure health care applications
With the proliferation of cloud applications and mobile devices, security for healthcare applications has become more complex. Gone are the days where a dedicated mainframe, housed in the healthcare facility, with dedicated terminals, ran a health information system. Today, many healthcare applications are hosted on cloud servers and can be accessed by desktop, laptop, tablet and phone devices. This presents a variety of entry points for an intentional hacker.
The basics of HIPAA for software developers
HIPAA security requirements safeguard three areas: administrative, physical and access control. Here is a brief breakdown of each area:
Administrative safeguards involve
- Application access authorization
- Application log in monitoring
- Application password management
- Data backup
- Disaster recovery
- Emergency mode operations
Physical safeguards
- Facility security
- Data backup and storage
- Device security
Access control
- Unique user identification
- Automatic log off
- Encryption / Decryption
- Limit data access to a ‘need to know’ policy
Government agencies involved with HIPAA / HITECH
Several agencies oversee or contribute to HIPAA compliance. Each has a role to play:
Centers for Medicare and Medicaid Services: Oversees HIPAA and houses the regulations and guidance information for HIPAA.
Office for Civil Rights: The CMS has delegated authority to OCR to enforce HIPAA rules and oversee health information privacy in the Office for Civil Rights under the Department of Health and Human Services.
National Institute of Standards and Technology: Creates documents to show how to implement HIPAA and perform security audits.
Valuable HIPAA resources
While there are many fine organizations to help you organize around HIPAA, it is helpful to go to the source or credible trade organizations. Here is a list of useful links and resources:
Summary of the HIPAA Security Rule: shows the key elements of the Security Rule including the safeguards that must be in place. www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Health Information Technology: Collection, User and Disclosure Limitation Principle and FAQ’s: shows when PHI can be shared without a BAA. http:/hhs.gov/ocr/privacy/understanding/special/healthit/index.html
National Institutes of Health Privacy Rule and Research: Specifies which PHI data are protected. http://privacyruleandresearch.nih.gov/pr_08.asp
National Institute of Standards and Technology NIST 800-30 Guide for Conducting Risk Assessments: How to create a risk assessment to meet the conditions of your BAA. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
With government incentives and penalties in place, healthcare organizations are incentivized to implement IT solutions that keep populations healthy while at the same time protect their patients’ health information. A development shop will do well by educating itself on HIPAA rules and securing Health Information System customers.