What is HIPAA and what does HIPAA have to do with IT Companies?
Software development goes hand in hand with enforcing legislation of a particular country. Non-compliance to the law can lead to serious consequences, including penalties and ban on software use. Healthcare is the industry where the use of the software is regulated at the national level. Each country has its regulatory documents for the development of medical digital solutions. They are, for example, HIPAA in the USA, GDPR in Europe, PIPEDA in Canada, and so on. Observing these standards is important for successful software implementation and circulation.
In this article, we will analyze the American Health Insurance Portability and Accountability Act (HIPAA) and HIPAA compliance software requirements. The article will be useful for the developers of medical software for the USA market. We will discuss:
- what kind of information needs protection according to HIPAA;
- how exactly HIPAA regulates data protection;
- what it has to do with IT companies;
- what the consequences of HIPAA violation are;
- how to meet HIPAA compliance software requirements;
- what pitfalls you should be aware of when developing HIPAA compliant solutions;
- how HIPAA software security requirements correlate with European legislation.
We will also provide you with a HIPAA compliance checklist for information technology companies.
What is HIPAA?
Health Insurance Portability and Accountability Act (HIPAA) was first put into effect in 1996. Its task was to modernize the flow of health-related data and to protect it from fraud and theft. Since then, the Act has undergone the number of changes (with the latest being put into action in 2020). The HITECH Act adopted in 2009 expanded HIPAA regulations in the sphere of technology use.
HIPAA compliance regulations constitute a set of regulatory standards that outline the lawful use of protected health information (often abbreviated as PHI). Companies that deal with such information should ensure that sensitive patient data is not misused. They should imply administrative, physical, and technical safeguards, specific technical policies, and network security.
Administrative safeguards are administrative policies and procedures bound to the security management process. They include risk analysis and management, workforce security, information access management, and security awareness and training.
Physical safeguards stand for physical actions that ensure facility access limitations. Such limitation is set on transferring, disposing of, removing, and reusing of electronic protected health information (ePHI).
Technical safeguards include best practices for protecting data and systems with the help of technology. They control access to ePHI so that only authorized users can deal with sensitive patients’ data. Technical safeguards include network encryption, access control, activity audits control, integrity, person or entity authentication, and transmission security.
Technical policies include integrity control, IT disaster recovery, and offsite backup procedures. They ensure quick remediation od electronic media errors or failures and accurate recovery of patients’ data.
Network security concerns various methods of data transmission via the Internet or private networks.
What Kind of Health Information Needs Protection?
Protected health information (PHI) is any demographic information that can be used to identify a person. It includes any structured and unstructured data, such as names, addresses, emails, phone numbers, medical records, bank accounts, billing information, insurance information, video, audio chats, photos, scans, etc.
Since nowadays most of the operations with patient’s data are computerized, the new term, electronic protected health information (ePHI) is used. Common examples of ePHI applications are computerized physician order entry systems (CPOE), electronic health records (EHR), therapeutic apps, and various telemedicine solutions. Companies include ePHI associated with their activities into their HIPAA compliance requirements checklists.
How does HIPAA Regulate Data Protection?
As at present, HIPAA constitutes a set of rules, such as Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, Enforcement Rule, Minimum Necessary Rule, Access Controls, etc. On the ground of these rules, providers form their HIPAA compliance audit checklist, which developers of IT solutions should be aware of.
HIPAA Privacy Rule
Also known as “Standards for Privacy of Individually Identifiable Health Information”, this Rule sets standards for patients’ rights concerning PHI. They include the right to access PHI, the right to receive a notice of privacy practices, etc. These standards also give recommendations for privacy training and corruption prevention.
HIPAA Security Rule
Also referred to as “Security Standards for the Protection of Electronic Protected Health Information”, this Rule sets standards for secure maintenance, transmission, and handling ePHI. It outlines administrative, physical, and technical safeguards any healthcare provider should meet. HIPAA Security Rule , especially technical safeguards listed in this Rule, is of great importance for software developers.
HIPAA Breach Notification Rule
It describes steps companies should follow in case of a data breach. It outlines the notification process and describes the necessary elements of the breach notification message.
HIPAA Omnibus Rule
It outlines the rules for Business Associate Agreements, the contracts that must be executed before transference of the data.
HIPAA Enforcement Rule
This Rule governs the investigations following a breach of PHI and penalties imposed for safety procedures violation.
The Minimum Necessary Rule
The Rule states that employees should only have access to the minimum PHI needed to perform their job duties.
What does HIPAA have to do with IT Companies?
HIPAA data security requirements apply to two categories of organizations: covered entities (these include healthcare providers etc.) and business associates (organizations or individuals who act as vendors or subcontractors and in this role have access to PHI). The second group comprises data processing and data storage companies, data transmission providers, etc. If your company provides IT services or develops software that somehow touches PHI, it also belongs to the business associates group. A healthcare provider should enter into a “Business Associate” contract with you, and you also become responsible for meeting HIPAA software security requirements.
HIPAA Violation Consequences
HIPAA compliance is obligatory for all healthcare providers on the territory of the USA. Any violation of HIPAA regulations is subject to penalties. HIPAA Enforcement Rule describes four levels of regulations violation, from unaware violation to willful neglect unmitigated within 30 days. The fines vary from $100 to $ 50,000. Apart from monetary sanctions, HIPAA compliance regulations violation can have a significant negative effect on the provider’s reputation. Companies that violate HIPAA can face sanctions from professional boards and face criminal charges up to imprisonment. The most common violations in terms of the software include the lack of protection of patients’ records, inability to access patients’ records, misuse and unauthorized disclosure of PHI. You may also use HIPAA compliance reports as a guideline.
HIPAA Compliance Regulations and Software Development
As we could see, for IT companies specializing in the development of medical digital solutions, HIPAA compliance is crucial. Yet, it might be difficult in the beginning to understand how all the above-mentioned regulations relate to software development. So, let’s “translate” them into software features mandatory for HIPAA security compliance checklist.
Documentation processing mode
Documenting every single step is an inevitable routine for medical professionals. Efficient software facilitates documentation processing and secures data storage.
Regular audits are an integral part of the healthcare providers’ work. Thus, medical companies need utilized audits that help to analyze risks and errors in the data processing. HIPPA regulation does not identify what exact data should be audited or how often the audit control should take place. So, rely on the specificity of the client’s business as a guideline.
According to HIPAA compliance regulations, every business dealing with PHI should have a recovery plan in case something happens to patients’ data. It should cover major tasks for securing data, a plan for preventing security risks, and documentation on completed and scheduled safety procedures.
Meeting Omnibus Rule regulations
In case a healthcare provider has contractors managing ePHI, the company’s software should be able to monitor the agreements connected with entrustment clients’ data to business associates.
Good software should prevent data breaches, and create automated reports in case of unwelcome interference. A key component of secure health data management is data encryption. For health solutions, encrypting data “on the wire” and “at rest” is a good option, though, some companies divide data between PHI and non-PHI systems and apply higher security standards to the former.
Emergency access procedure
Facilities for informing staff and patients in case of threats and emergencies should be utilized. Unique user authentication For HIPAA compliant software, multi-factor authentication (at least, two-factor) is strongly recommended. It is better if the system eliminates the possibility of accessing an account from multiple locations or devices simultaneously.
Role-based access control
Though the way to meet the HIPAA access control standard is not specified in the documentation, it is easiest to meet HIPAA data security requirements via the role-based control. According to this method, each user’s role allows access only to such amount of data that is necessary to perform the corresponding job duties.
The screen should automatically log off when left unattended for a certain period to prevent unauthorized access to data. It better if this feature is implemented into configuration settings.
Health solutions should be comprehensive and user-friendly for medical staff. It will prevent unintentional violations of security procedures and data breaches.
Potholes in the Development of HIPAA Compliant Software
Meeting all above mentioned HIPAA software requirements is an important step towards high-quality software development. Yet, you should understand that mere implementation of these features will not necessarily prevent you and your client from HIPAA violation. You need to make it clear for the client that, when used improperly in clinical settings the solution can fail to maintain HIPAA compliance regulations even if it comprises all necessary features. The medical staff should be instructed and trained to use clinical software. Strong and long-lasting technical support is also highly recommended. Some experts also warn about the security threats that can occur in the case of scaling digital healthcare solutions . It is important to consider HIPAA compliant server requirements for information storage.
Our Experience in Following HIPAA Software Security Requirements
The biggest challenge for IT companies specializing in software development for the USA market is that there is no 3rd party HIPAA certification. So, it is your responsibility to ensure if your products meet all HIPAA software requirements. Having studied regulatory documents and the experience of other companies, we have created a checklist for our developers with all the necessary features healthcare products should contain. You will find it at the end of this article. However, not all of our clients are from the USA. Stfalcon.com healthcare apps and other digital solutions for Europe, as well. Thus, we delved into the question to check if there is any significant difference in data protection requirements for medical software in the USA and Europe.
HIPAA and European Healthcare Software Regulations
As we have mentioned before, you should take into account HIPAA regulations only in case of developing digital solutions for the USA. To improve clarity, let us see how it corresponds to European standards. In the European Union, data protection is ensured by the General Data Protection Regulation (GDPR). The GDPR covers all data from which a person can be identified, whether directly or indirectly. Thus, GDPR covers a larger amount of data compared to HIPAA data security requirements, including ethnic origin, religious beliefs, sexual orientation, etc. In terms of health data, GDPR and HIPAA are similar, though while HIPAA is mostly focused on organizations that handle PHI within the USA, GDPR has a much broader scope of coverage and protects personal data of European citizens not only on the territory of the EU but elsewhere. This is, by the way, an important notion for American healthcare organizations that handle EU patients’ information. Does it impose any additional demands on software development in Europe compared to the USA? Indeed, yes. Consider, for example, such interesting obligatory functions as pseudonymization by default or the right to be forgotten. But this is a good topic for another article. So far, it will be enough to understand that different countries have different legislation overlapping software development.
HIPAA Compliance Software Checklist for Developers
So, here is a HIPAA data security checklist we use in our practice. It contains the following features:
- Is unique user authentication applied to track user activity with PHI?
- Does access control mode restrict users’ access to PHI that they don’t need for performing their job duties?
- Is there a recovery plan and does it envisage any possible incidents?;
- Does emergency access mode provide appropriate access to ePHI in the case of an emergency?
- Do activity logs and audit controls function properly and correspond to the specificity of the client’s workflow?
- Does the solution have an automatic logoff feature
- Is the integrity of data ensured?
- What data encryption and decryption mechanisms are applied? Are they relevant?
- Can data be easily restored? How is data backup organized?
To Sum Up
The development of reliable healthcare solutions that comply with national regulations is not an easy thing. One should keep in mind various requirements and features. Use our HIPAA data security checklist to ensure your solution contains all necessary elements to be HIPAA compliant. Contact Stfalcon.com specialists to get more information on how to create a reliable and profitable healthcare software. We are ready to contribute to the development of your next HIPAA compliant medical digital solution.
Originally published at https://stfalcon.com.