What you should know about HIPAA compliance when developing healthcare mobile apps, web portals, cloud servers, etc.!
When architecting healthcare mobile apps and software systems it is imperative to have a thorough understanding of HIPAA compliance, and the necessary safeguards and implementations that software systems must provide to ensure privacy and security of ePHI (Protected Health Information).
“HIPAA compliance is a set of federally mandated minimum security and privacy standards that must be complied with to ensure confidentiality, integrity and availability of ePHI”.
HIPAA stands for Health Insurance Portability and Accountability Act, passed by the US congress in 1996. The original intent of HIPAA was to simplify and reduce the administrative overhead, leading to incremental insurance and healthcare reform.
In 2009 with the prevalence of health data being increasingly recorded in electronic medium, HIPAA was expanded by the ARRA (American Reinvestment and Act), into HITECH (Health Information Technology Economic and Clinical Health).
The HITECH Act expanded the scope of privacy and security protections available under HIPAA, allowing for enhanced enforcement and increased penalties for non-compliance.
Today HIPAA deals with Security and Privacy of ePHI (electronic Protected Health Information). HIPAA Security and Privacy Standards are the federally mandated “minimum floor” rules to ensure Confidentiality, Integrity and Availability of ePHI.
HIPAA and Healthcare Apps
Adherence to HIPAA is federally mandated for any organization that provides IT services to the healthcare industry (eg. managing IT infrastructure, mobile app development, web portal development, architecting cloud solutions etc.), and in doing so creates, receives, maintains, interacts, stores, or transmits ePHI.
Thus, HIPAA compliance is not just for healthcare organizations (eg. hospital, doctors office, insurance companies etc.), but applies to IT organizations that work with ePHI. A healthcare organization utilizing the services of an IT organization or sub-contracters must have a “Business Associate” contract in place, to ensure that the partnering IT firm is HIPAA compliant.
The HIPAA standards ensure Confidentiality, Integrity and Availability of ePHI information. HIPAA safeguards are divided into the following three categories,
- Physical Safeguards (4 standards, 8 implementations): Defines policy and procedures on workstation use and limited physical access to hardware and facilities(eg. workstation locations, servers and devices) that contain ePHI.
- Technical Safeguards (5 standards, 7 implementations): Defines policy and procedures in relation to technology and its use when dealing with ePHI.
- Administrative Safeguards (9 standards, 21 implementations): Defines overall policies and procedures that an organization must have in place to establish a corporate culture of HIPAA compliance
Each of these safeguards have appropriately defined security standards. Out of the 18 standards, 12 have defined implementations and 6 do not.
The standards and implementations may be Required(R) or Addressable(A)
- Required (R): means that the particular standard or implementation is mandatory.
- Addressable (A): means that the particular standard or implementation must be reasonable assessed and applied. If they are not directly implemented then an alternative must be supplied to ensure that it is being met correctly. Note that Addressable does not mean “optional”.
The Technical and Physical safeguards provide direct guidance on the processes and best practices that must be included as part of the software development process and the final product (mobile app, web portal etc.).
The Administrative safeguards provide overall guidance on the best practices and organizational policies that must be in place.
Making your product HIPAA Compliant!
To ensure software (whether it is a web portal, or a cloud based system, or a remote server, or a web app) is HIPAA compliant, following standards must be implemented.