15 Critical Tips for a Successful HIPAA Compliant Software Development Project

By Engineering Team

Leading a complex custom software development project for a healthcare organization is already tough. But on top of that you must be aware of the Health Insurance Portability and Accountability Act (HIPAA). This U.S. law was enacted in 1996 and it sets strict standards for protecting patient health information (PHI) or electronic protected health information (ePHI).

As a healthcare IT leader, you're already aware of HIPAA and the need to be compliant. But what does that mean for your software development projects? In this article we'll discuss:

  • What is HIPAA and why do healthcare providers need to be compliant?
  • You need a BAA in place to be compliant with HIPAA Security Rule
  • Is HIPAA Compliance just a checkbox?
  • What is required to develop HIPAA compliant Software?
  • HIPAA Compliance Software Requirements
  • What are the implications of HIPAA Compliant Software Development?
  • Deploying a custom software project on a HIPAA compliant environment

 

1 - What is HIPAA and why do healthcare providers need to be compliant?

HIPAA Compliance Featured Image

As mentioned above HIPAA is a patient privacy law with the goal to protect electronic protected health information (ePHI). PHI includes any information about a person's health that can be used to identify them. This includes things like their name, address, birth date, Social Security number, and medical records.

HIPAA compliance is mandatory for any organization that deals with PHI. This includes healthcare providers, health insurers, and any company that provides support services to the healthcare industry. Failure to comply with HIPAA can result in heavy fines from the U.S. Department of Health and Human Services (HHS).

The fines range from $100 to $50,000 per violation, with a maximum of $1.8 million per year for the same HIPAA violation (ref: https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/)

So, as you can tell its critically important to make sure your project ensures a HIPAA compliant software result.

 

2 - You need a BAA in place to be compliant with HIPAA Security Rule

Before we dive into details, the first thing you need to know is you need a "BAA" in place. A BAA is a Business Associate Agreement. This is a contract between you (the HIPAA covered entity) and any company that will have access to PHI.

The BAA must outline the duties of each party, how PHI will be used, and what measures will be taken to protect it. The BAA must also stipulate that the company will not use or disclose PHI for any purpose other than providing services to the covered entity.

You can read more about BAAs and being HIPAA compliant here: https://www.hipaajournal.com/what-is-a-business-associate-agreement-baa-4264/

But it is critical that if you bring a 3rd party software development organization, you hired internal software developers or whomever you are picking as a infrastructure as a service provider that you have BAA in place.

In general a BAA's and HIPAA security rule guidelines to avoid data breaches:

  1. PHI must be stored securely
  2. PHI must be transmitted securely
  3. PHI must be accessed only by authorized personnel
  4. PHI must be destroyed when no longer needed
  5. PHI must be monitored for unauthorized access
  6. Policies and procedures must be in place to ensure HIPAA compliance
  7. HIPAA compliance must be monitored on an ongoing basis
  8. Employees must be trained on HIPAA compliance
  9. Have a remediation plan in place

 

 

3 - Is HIPAA Compliance just a checkbox?

OK this is a tricky one. Compliance is not a binary state, it's more of a spectrum. There are different levels of compliance and it's up to you as the healthcare IT leader to decide what level is appropriate for your organization.

That's why its important to explore the nuance of these topics with your software development and compliance teams before making decisions.

The short answer is "Yes", with proper security safeguards in place, software can be HIPAA compliant. But its more of a question of are we being willfully negligent or not. Your objective is to be as complaint as possible in the event of data breaches, and have a remediation plan in place.

 

4 - What is required to develop HIPAA compliant software?

There are four main requirements healthcare providers need to take into consideration when developing HIPAA compliant software:

  • The software must protect the confidentiality, integrity, and availability of PHI
  • The software must be implemented with security measures appropriate to the risk level
  • The software must be monitored on an ongoing basis
  • Employees must be trained on HIPAA compliance and have a remediation plan in place.

 

The first two requirements are known as the "security rule" and the second two requirements are known as the "privacy rule."

Let's take a closer look at each of these requirements.

But before we do, let's go through the process to get there.

 

5 - HIPAA Compliance Software Requirements

To begin with, not all healthcare systems and applications need to adhere to HIPAA requirements.

Which healthcare solutions don’t need to be HIPAA compliant? 

  • Health and fitness apps
  • Wellness tracking
  • General health information websites
  • Personal health journals
  • Productivity or lifestyle apps with no health data

These are a few examples of healthcare applications that don’t need to be HIPAA compliant. Now, there may be some cases where these excluded services could become covered entities.

For example, if an employer requires its employees to use a fitness app to track their physical activity, the app would need to be HIPAA Compliant.

Lets dig al little deeper into what PHI is, these are the 18 elements that constitute PHI:

What is PHI?

PHI stands for Protected Health Information. It is any information related to a person's health that can be used to identify them. This includes things like their name, address, date of birth, medical records, and more.

The HIPAA Privacy Rule defines 18 elements of PHI:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
  • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URL
  • Internet Protocol (IP) Address
  • Finger or voice print
  • Photographic image - Photographic images are not limited to images of the face.
  • Any other characteristic that could uniquely identify the individual

These are just a few of the critical components that must be considered when developing software that will be handling PHI and be HIPAA compliant.

Now that we understand what is required let's take a look at how to get there.

 

6 - What are the implications of HIPAA Compliant Software Development?

When we talk about implications about a software development project we must get into the phases of the projects. We need to think of the most common stages where we need to make decisions that might impact our HIPAA compliance.

7 - Identifying the business need

A natural first step when embarking on a software development project is to identify what the business need is, and in the HIPAA case, determine if any patient information is required.

Protected Health Information (PHI) includes: name, address, birth date, Social Security number, medical records.

If the project will not require any patient information, then you can move on to the next stage. However, if patient information is required, then you must take steps to ensure that the information is protected in accordance with HIPAA regulations.

8 - Project scoping and requirements gathering

The next stage is to scope out the project and gather requirements. This is where you will need to work closely with the business stakeholders to determine what patient information is required and how it will be used. You will also need to determine what security measures will be put in place to protect the information.

For example, if the project requires the development of a web-based application that will be used to input and store patient information, then you will need to ensure that the application is secure, and ensuring data security. This means ensuring that only authorized users can access the application and that the data encryption is used on transmission as a basic precaution against data breaches.

It's also important that you don't make assumptions about what is required. Make sure that you ask the business stakeholders questions and get clarification on any requirements that are not clear, because if you make assumptions and get it wrong, then you could be held liable for any resulting HIPAA violations.

9 - Designing the architecture

The next stage is to design and architect the solution. During this stage you'll describe the solution's major components, their relationships, and how they interact. You'll also need to consider how the solution will be deployed and hosted. This is where you will need to take into consideration the security measures that need to be put in place to protect the patient information.

For example, if you are designing a database to store patient information, you will need to ensure that the database is secure. This means ensuring that only authorized users can access the database and that the data is encrypted at rest.

You'll also have to think about the infrastructure needs of the solution. For example, if you are designing a web-based application, you will need to consider where the web server will be located and how the application will be deployed. Whether you are going with a cloud-based architecture such as AWS, or an on-premises solution, you will need to ensure that the data is stored in a secure location and that the proper security measures are in place.

10 - Development Process

Whether you are building a new project or you maintain HIPAA compliance software development initiative with internal software developers, or a qualified partner (such METHODIQ) you'll need to take a few things into consideration:

  • Each developer must be aware on their part to maintain HIPAA compliance
  • A security professional should review architectural plans
  • Consider the ways the application will be used
  • What data will the system be processing and storing?
  • Are you protecting in-transit and at-rest PHI?
  • What encryption protocols are being implemented?
  • Identify what data fields are NOT necessary (if there's no need to gather a social security number, then don't)
  • Develop a consistency in documentation of compliance (across the board), for different types of information
  • Ensure compliance with application activity logs
  • System testing should include security and privacy controls
  • Monitoring must be in place for on-going compliance efforts
  • Ongoing Training
  • Use the appropriate certificates
  • Beware of sending PHI on SMS/MMS as those are unencrypted
  • Avoid push notifications
  • Access user roles
  • Be aware of electronic health records embedded into transactional data

11 - How to Maintain HIPAA Compliance

In order to maintain HIPAA compliance long-term IT leaders need to develop a compliance program that provides not only the technical safeguards required by HIPAA but also the policies, procedures and training necessary to ensure that all employees are aware of their responsibilities under HIPAA.

The compliance program should include:

  • An inventory of all systems that contain PHI
  • A risk analysis of all systems that contain PHI
  • Policies and procedures for handling PHI
  • Training for all employees who have access to PHI
  • A process for monitoring compliance
  • Regular audits of systems that contain PHI
  • Disaster recovery plans in case of a data breach

The compliance program should be reviewed on a regular basis and updated as needed to reflect changes in the law or changes to the way the organization handles PHI.

Keeping up with HIPAA compliance can be a challenge, but it's important to remember that the goal of the law is to protect the privacy of patients. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.

 

12 - HIPAA Developer Checklist: HIPAA Mobile App Security

When it comes to mobile applications and HIPAA compliance , developers need to take extra care to ensure that the apps they create are secure. Here is a checklist of things to consider when creating a HIPAA-compliant mobile app:

  • Make sure that the app is encrypted.
  • Use strong authentication methods, such as two-factor authentication.
  • Do not store PHI on the device.
  • Do not send PHI over unsecured channels, such as SMS or email.
  • Make sure that the app has a clear security policy.
  • Train employees on how to use the app securely.
  • Monitor app usage and activity logs.
  • Perform regular security audits of the app.
  • Update the app regularly to address security vulnerabilities.
  • Have a plan in place for what to do in case of a data breach.

By following these tips, developers can help ensure that their mobile apps are compliant with HIPAA and protect the privacy of patients.

 

13 - HIPAA Rules: Privacy, Security and Breach Notifications

The Breach Notification Rule requires covered entities to provide notification following a breach of unsecured protected health information. In general, a covered entity must provide notification to affected individuals and, in some cases, the media.

The Security Rule requires covered entities to put in place safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.

The Privacy Rule establishes national standards for the protection of PHI. It gives individuals the right to access and amend their health information, and sets limits on who can use and disclose PHI.

 

14 - Which healthcare apps should comply with HIPAA rules?

HIPAA compliance is required for any healthcare app that handles PHI. This includes apps that are used for medical appointments, prescriptions, health records, and billing. In general, any app that could be used to identify a patient or collect information about their health should be compliant with HIPAA.

 

15 - Deploying a custom software development project on a HIPAA compliant software environment

The final stage is to deploy the solution. This is where you will need to consider how the solution will be deployed and hosted.

There are many HIPAA compliance options out there such as : on-premises, cloud-based, or a hybrid solution. We typically recommend AWS and Azure as they have ready-to-go HIPAA compliant software environments.

And lastly, but most importantly, AWS and Azure have BAA's in place which is a requirement when handling PHI.

Conclusion

Although HIPAA compliance may seem daunting, it is important to remember that there are many resources available to help you achieve and maintain compliance. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.

Also by following the tips in this blog post and by working with a knowledgeable HIPAA consultant, you can rest assured that your practice is fully compliant with all of the HIPAA regulations. Have you had any experience with HIPAA compliance? What tips would you add?