Leading a complex custom software development project for a healthcare organization is already tough. But on top of that you must be aware of the Health Insurance Portability and Accountability Act (HIPAA). This U.S. law was enacted in 1996 and it sets strict standards for protecting patient health information (PHI) or electronic protected health information (ePHI).
As a healthcare IT leader, you're already aware of HIPAA and the need to be compliant. But what does that mean for your software development projects? In this article we'll discuss:
As mentioned above HIPAA is a patient privacy law with the goal to protect electronic protected health information (ePHI). PHI includes any information about a person's health that can be used to identify them. This includes things like their name, address, birth date, Social Security number, and medical records.
HIPAA compliance is mandatory for any organization that deals with PHI. This includes healthcare providers, health insurers, and any company that provides support services to the healthcare industry. Failure to comply with HIPAA can result in heavy fines from the U.S. Department of Health and Human Services (HHS).
The fines range from $100 to $50,000 per violation, with a maximum of $1.8 million per year for the same HIPAA violation (ref: https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/)
So, as you can tell its critically important to make sure your project ensures a HIPAA compliant software result.
Before we dive into details, the first thing you need to know is you need a "BAA" in place. A BAA is a Business Associate Agreement. This is a contract between you (the HIPAA covered entity) and any company that will have access to PHI.
The BAA must outline the duties of each party, how PHI will be used, and what measures will be taken to protect it. The BAA must also stipulate that the company will not use or disclose PHI for any purpose other than providing services to the covered entity.
You can read more about BAAs and being HIPAA compliant here: https://www.hipaajournal.com/what-is-a-business-associate-agreement-baa-4264/
But it is critical that if you bring a 3rd party software development organization, you hired internal software developers or whomever you are picking as a infrastructure as a service provider that you have BAA in place.
In general a BAA's and HIPAA security rule guidelines to avoid data breaches:
OK this is a tricky one. Compliance is not a binary state, it's more of a spectrum. There are different levels of compliance and it's up to you as the healthcare IT leader to decide what level is appropriate for your organization.
That's why its important to explore the nuance of these topics with your software development and compliance teams before making decisions.
The short answer is "Yes", with proper security safeguards in place, software can be HIPAA compliant. But its more of a question of are we being willfully negligent or not. Your objective is to be as complaint as possible in the event of data breaches, and have a remediation plan in place.
There are four main requirements healthcare providers need to take into consideration when developing HIPAA compliant software:
The first two requirements are known as the "security rule" and the second two requirements are known as the "privacy rule."
Let's take a closer look at each of these requirements.
But before we do, let's go through the process to get there.
To begin with, not all healthcare systems and applications need to adhere to HIPAA requirements.
Which healthcare solutions don’t need to be HIPAA compliant?
These are a few examples of healthcare applications that don’t need to be HIPAA compliant. Now, there may be some cases where these excluded services could become covered entities.
For example, if an employer requires its employees to use a fitness app to track their physical activity, the app would need to be HIPAA Compliant.
Lets dig al little deeper into what PHI is, these are the 18 elements that constitute PHI:
What is PHI?
PHI stands for Protected Health Information. It is any information related to a person's health that can be used to identify them. This includes things like their name, address, date of birth, medical records, and more.
The HIPAA Privacy Rule defines 18 elements of PHI:
These are just a few of the critical components that must be considered when developing software that will be handling PHI and be HIPAA compliant.
Now that we understand what is required let's take a look at how to get there.
When we talk about implications about a software development project we must get into the phases of the projects. We need to think of the most common stages where we need to make decisions that might impact our HIPAA compliance.
A natural first step when embarking on a software development project is to identify what the business need is, and in the HIPAA case, determine if any patient information is required.
Protected Health Information (PHI) includes: name, address, birth date, Social Security number, medical records.
If the project will not require any patient information, then you can move on to the next stage. However, if patient information is required, then you must take steps to ensure that the information is protected in accordance with HIPAA regulations.
The next stage is to scope out the project and gather requirements. This is where you will need to work closely with the business stakeholders to determine what patient information is required and how it will be used. You will also need to determine what security measures will be put in place to protect the information.
For example, if the project requires the development of a web-based application that will be used to input and store patient information, then you will need to ensure that the application is secure, and ensuring data security. This means ensuring that only authorized users can access the application and that the data encryption is used on transmission as a basic precaution against data breaches.
It's also important that you don't make assumptions about what is required. Make sure that you ask the business stakeholders questions and get clarification on any requirements that are not clear, because if you make assumptions and get it wrong, then you could be held liable for any resulting HIPAA violations.
The next stage is to design and architect the solution. During this stage you'll describe the solution's major components, their relationships, and how they interact. You'll also need to consider how the solution will be deployed and hosted. This is where you will need to take into consideration the security measures that need to be put in place to protect the patient information.
For example, if you are designing a database to store patient information, you will need to ensure that the database is secure. This means ensuring that only authorized users can access the database and that the data is encrypted at rest.
You'll also have to think about the infrastructure needs of the solution. For example, if you are designing a web-based application, you will need to consider where the web server will be located and how the application will be deployed. Whether you are going with a cloud-based architecture such as AWS, or an on-premises solution, you will need to ensure that the data is stored in a secure location and that the proper security measures are in place.
Whether you are building a new project or you maintain HIPAA compliance software development initiative with internal software developers, or a qualified partner (such METHODIQ) you'll need to take a few things into consideration:
In order to maintain HIPAA compliance long-term IT leaders need to develop a compliance program that provides not only the technical safeguards required by HIPAA but also the policies, procedures and training necessary to ensure that all employees are aware of their responsibilities under HIPAA.
The compliance program should include:
The compliance program should be reviewed on a regular basis and updated as needed to reflect changes in the law or changes to the way the organization handles PHI.
Keeping up with HIPAA compliance can be a challenge, but it's important to remember that the goal of the law is to protect the privacy of patients. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.
When it comes to mobile applications and HIPAA compliance , developers need to take extra care to ensure that the apps they create are secure. Here is a checklist of things to consider when creating a HIPAA-compliant mobile app:
By following these tips, developers can help ensure that their mobile apps are compliant with HIPAA and protect the privacy of patients.
The Breach Notification Rule requires covered entities to provide notification following a breach of unsecured protected health information. In general, a covered entity must provide notification to affected individuals and, in some cases, the media.
The Security Rule requires covered entities to put in place safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
The Privacy Rule establishes national standards for the protection of PHI. It gives individuals the right to access and amend their health information, and sets limits on who can use and disclose PHI.
HIPAA compliance is required for any healthcare app that handles PHI. This includes apps that are used for medical appointments, prescriptions, health records, and billing. In general, any app that could be used to identify a patient or collect information about their health should be compliant with HIPAA.
The final stage is to deploy the solution. This is where you will need to consider how the solution will be deployed and hosted.
There are many HIPAA compliance options out there such as : on-premises, cloud-based, or a hybrid solution. We typically recommend AWS and Azure as they have ready-to-go HIPAA compliant software environments.
And lastly, but most importantly, AWS and Azure have BAA's in place which is a requirement when handling PHI.
Although HIPAA compliance may seem daunting, it is important to remember that there are many resources available to help you achieve and maintain compliance. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.
Also by following the tips in this blog post and by working with a knowledgeable HIPAA consultant, you can rest assured that your practice is fully compliant with all of the HIPAA regulations. Have you had any experience with HIPAA compliance? What tips would you add?