By Abbas Dhilawala, CTO, Galen Data.
The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in the United States in 1996. The legislation creates data security and privacy requirements for safeguarding medical information. In recent years, HIPAA compliance has become a hot button issue for software developers in the healthcare space, as a number of high profile data breaches compromised millions of patient records across the country.
If you’re developing an eHealth or mobile health app, it is vital that you determine whether your software could be subject to the requirements of HIPAA for medical software applications. Failure to do so could subject you to thousands or even millions of dollars of liability if the use of your application results in an unauthorized disclosure of health information that is protected under HIPAA. Here’s how to tell whether HIPAA applies to you, and how to know if your software is HIPAA compliant.
Does HIPAA apply to me?
Before you start worrying about compliance with the security and privacy requirements of HIPAA, you should determine whether they can be applied to you and your organization. Both the HIPAA privacy rule and the HIPAA security rule apply to all covered entities under HIPAA, such as health plans, healthcare clearinghouses and healthcare providers. The website for Centers Medicade & Medicaid Service offers a Covered Entity Guidance Tool that can help you determine whether your organization is a covered entity.
HIPAA was expanded in 2009 with the introduction of the HITECH Act and again in 2013 with the HIPAA omnibus rule which clarified the responsibilities of business associates of covered entities when it comes to managing privacy and security of patient records. Further guidance was issued in 2016 indicating that cloud service providers would also be covered by the HIPAA privacy, security and breach notification rules.
Software developers in the healthcare space need to tread carefully here – the original regulations of HIPAA that deal with covered entities probably won’t apply to most organizations creating eHealth or mobile health products, but if your app will manage protected health information and share it with any covered entities, such as health plans or doctors, then HIPAA applies to you and you must comply.
If your software collects protected health information from patients but does not share it with a doctor or another covered entity at any point, the HIPAA rules won’t apply to you and you don’t need to worry about compliance.
Required safeguards for software HIPAA compliance
The available data indicates that while theft of computing hardware was the primary cause of healthcare data breaches in 2017, the greatest vulnerability that was exploited was health IT networks. For software developers, the HIPAA security rule is the most likely potential source of compliance issues. The rule mandates three types of safeguards that protect patient data – administrative, physical, and technical. In creating these safeguards, software developers must establish a secure application where authorized personnel have access to the required patient information while unauthorized persons do not. Patient information must also be protected from alteration or destruction.
Administrative safeguards ensure that software administrators who make have access to the data are acting responsibly. If your software stores medical data, anyone with access to that data must be authorized and trained on the ethical and legal requirements of that access. Administrative safeguards include:
- Security management process
- Security personnel
- Information access management
- Workforce training and management
Physical safeguards help to mitigate data breaches by ensuring that only authorized users can access the facilities and machines where protected health information is stored. Physical safeguards include managed policies for:
- Facility access and control
- Workstation and device security
Technical safeguards present the greatest challenge for software developers building HIPAA-compliant products, as software bugs represent the best opportunity for data attacks against your organization. HIPAA does not detail exactly what firewalls, anti-malware devices or encryption tools should be used to secure your software against a data breach, but it does indicate the need for several types of controls:
- Access controls
- Audit controls
- Integrity controls
- Transmission security
Protected health information and HIPAA
Under HIPAA, there are four types of protected health information:
- A patient’s name, address, birth date and SIN
- An individual’s physical or mental health condition
- Any care provided to an individual
- Information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe could be used to identify the patient
The important factor when it comes to protected health information is that is must identify the patient to be covered. For data that has been de-identified or aggregated, there are no restrictions for how it is used or distributed to covered entities.
The Federal Government’s penalties for HIPAA violations can stretch into the millions of dollars, so it’s important to be sure that your software is compliant. As a rule of thumb, if your application transmits protected health information to a covered entity, HIPAA laws will apply to you. You can comply with HIPAA and protect the privacy of your users by establishing the administrative, physical and technical safeguards outlined in the HIPAA Security Rule.