What you should know about HIPAA compliance when developing healthcare mobile apps, web portals, cloud servers, etc.!
Overview
When architecting healthcare mobile apps and software systems it is imperative to have a thorough understanding of HIPAA compliance, and the necessary safeguards and implementations that software systems must provide to ensure privacy and security of ePHI (Protected Health Information).
“HIPAA compliance is a set of federally mandated minimum security and privacy standards that must be complied with to ensure confidentiality, integrity and availability of ePHI”.
HIPAA stands for Health Insurance Portability and Accountability Act, passed by the US congress in 1996. The original intent of HIPAA was to simplify and reduce the administrative overhead, leading to incremental insurance and healthcare reform.
In 2009 with the prevalence of health data being increasingly recorded in electronic medium, HIPAA was expanded by the ARRA (American Reinvestment and Act), into HITECH (Health Information Technology Economic and Clinical Health).
The HITECH Act expanded the scope of privacy and security protections available under HIPAA, allowing for enhanced enforcement and increased penalties for non-compliance.
Today HIPAA deals with Security and Privacy of ePHI (electronic Protected Health Information). HIPAA Security and Privacy Standards are the federally mandated “minimum floor” rules to ensure Confidentiality, Integrity and Availability of ePHI.
HIPAA and Healthcare Apps
Adherence to HIPAA is federally mandated for any organization that provides IT services to the healthcare industry (eg. managing IT infrastructure, mobile app development, web portal development, architecting cloud solutions etc.), and in doing so creates, receives, maintains, interacts, stores, or transmits ePHI.
Thus, HIPAA compliance is not just for healthcare organizations (eg. hospital, doctors office, insurance companies etc.), but applies to IT organizations that work with ePHI. A healthcare organization utilizing the services of an IT organization or sub-contracters must have a “Business Associate” contract in place, to ensure that the partnering IT firm is HIPAA compliant.
Understanding HIPAA
The HIPAA standards ensure Confidentiality, Integrity and Availability of ePHI information. HIPAA safeguards are divided into the following three categories,
- Physical Safeguards (4 standards, 8 implementations): Defines policy and procedures on workstation use and limited physical access to hardware and facilities(eg. workstation locations, servers and devices) that contain ePHI.
- Technical Safeguards (5 standards, 7 implementations): Defines policy and procedures in relation to technology and its use when dealing with ePHI.
- Administrative Safeguards (9 standards, 21 implementations): Defines overall policies and procedures that an organization must have in place to establish a corporate culture of HIPAA compliance
Each of these safeguards have appropriately defined security standards. Out of the 18 standards, 12 have defined implementations and 6 do not.
The standards and implementations may be Required(R) or Addressable(A)
- Required (R): means that the particular standard or implementation is mandatory.
- Addressable (A): means that the particular standard or implementation must be reasonable assessed and applied. If they are not directly implemented then an alternative must be supplied to ensure that it is being met correctly. Note that Addressable does not mean “optional”.
The Technical and Physical safeguards provide direct guidance on the processes and best practices that must be included as part of the software development process and the final product (mobile app, web portal etc.).
The Administrative safeguards provide overall guidance on the best practices and organizational policies that must be in place.
Making your product HIPAA Compliant!
To ensure software (whether it is a web portal, or a cloud based system, or a remote server, or a web app) is HIPAA compliant, following standards must be implemented.
Technical Safeguards
Technical safeguards consists of the following 5 standards,
Access Control
Access control standard defines technical policies and procedures to allow only authorized persons to access ePHI. It contains following implementations
Unique User Identification (R)
- Software systems must provide unique identification, for identifying and tracking user identity.
- This means that every user of the system must login using their own login credentials, and login credentials must not be shared between multiple users.
- Employees of a firm must not use a shared username password to login to a healthcare web portal or app, but each individual must have their own unique login credentials that they must use to login.
Emergency Access Procedures (R)
- Implementing ability to access the necessary ePHI during an emergency.
Automatic Logoff (A)
- The system must automatically log off the user after a defined interval.
Encryption and Decryption (A)
- All ePHI information that is store either locally on the device(mobile app or computer), or on a server (remote server, cloud etc.) must be encrypted.
Audit Controls (R)
- Software systems must implement hardware, software or procedural mechanisms, that record and examine activity in information systems containing ePHI.
- Audit logs with verifiable audit trail must be implemented.
- On the procedural side, organization must examine the audit logs at regular intervals.
Integrity
Integrity standard is meant to ensure that ePHI data is not unintentionally modified or corrupted. It consists of the following implementation
Mechanism to authenticate ePHI (A)
- Software systems must implement mechanisms that ensure integrity of ePHI. Most hardware and cloud services ensure this by providing robust storage mechanism.
- If the data is being stored locally on a mobile device or computer, checksums may be added as an additional safeguard to ensure data integrity.
Person Authentication(R)
This standard is meant to ensure that the person who is logging into the system is indeed the person they say they are.
- Person authentication is satisfied by ensuring that every person logging into the system has unique login credentials. Additionally, multi factor authentication may be implemented to provide enhanced authentication.
- For mobile apps, device features such as touchId or faceId or an additional unique PIN may be used to enhance person authentication.
Transmission Security
This standards defines specifications when transmitting ePHI over Internet or any communication network. It contains the following implementation
Encryption(A)
- All ePHI data transmitted between devices over a network must be encrypted.
- For web portals all sites must have a security certificate and must be https.
- All transmitted data must be encrypted using TLS v1.2 and must implement SHA256 encryption.
Integrity Controls(A)
- Mechanisms to ensure that the transmitted data was not altered in anyway.
- Integrity control mechanisms are already be present in the transportation layer of the communication networks. They ensures the integrity of the data packets being transmitted using checksum algorithms.
Physical safeguards
Physical safeguards define standards that control access to areas where healthcare data is stored or viewed. It consists of 4 standards,
Facility Access Control
- Physically limit access to the facility which contain systems on which ePHI can be accessed or stored, to those who require the necessary level of access.
- Define policies and procedures from accessing the hardware and equipment in those facilities, to prevent unauthorized access, tampering, or theft of equipment.
- Define policies that control physical access to location for visitors etc.
- Maintain records of all repairs to door locks, hardware, security.
Workstation Use
This encompasses any device that is potentially used as a workstation including computers, laptops, smart phones, tablets etc.
- Users must log off before leaving the workstation unattended.
- Antivirus software should always be kept up to date.
- Portable device that leave organization premises may have limits to amount of sensitive data stored on them.
Workstation Security
- Position monitors such that they cannot be viewed by casual passer-bys.
- Systems must have password enabled screensavers.
- Disposal of media that contained ePHI should include a low level data wipe to ensure that all sensitive data is remove.
- In case of mobile apps, any related healthcare data must be completely deleted from the device when the app is deleted from the device.
- In case of servers that house sensitive ePHI, regular offsite backups must be taken which are an exact copy of the data.
- Data backups should be taken before moving a server equipment that stores ePHI.
- A record must be maintained of all the hardware and cloud servers which houses the ePHI data, and the person responsible for them
Administrative safeguards
Administrative safeguards are corporate policies and procedures that manage the selection, development, implementation and maintenance of security measures to protect ePHI. It consists of the following 9 standards,
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Evaluation
- Business Contracts
For software development perspective,
- Information Access Management has a direct relation. It is important when developing software systems to provide access to only relevant ePHI information to allow the user to accomplish their job functions.
- Thus ePHI should have layered access such that specific user entities should have access only to that ePHI that is relevant to their job functions and should not have access to the other ePHI information for that patient.
- Overall within an organization there must be regular security awareness training so that developers, software engineers, managers etc. are all aware of the security policies with respect to ePHI data.
- There should also be a contingency plan in place, for how to contain any data breaches, and notify the relevant parties if required.
- There should be organization policies defined for regular backups of the ePHI data, and regular auditing of the security procedures and activity logs.
Found this post useful? Hit the 👏 button below to show how much you liked it :)