Source: Pixabay HIPAA & Medical Data Security for Web Developers If your company deals in healthcare and stores information about a person’s health, there’s a good chance you’ll have to abide by HIPAA. What is HIPAA, how do you stay in compliance? Let’s look at how HIPAA affects your website. What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 . It mandates an industry-wide standard for healthcare information regarding billing processes, and also “requires protection and confidential handling of protected health information,” according to the California Department of Healthcare Services. protects patients data The HIPAA Privacy Rule, , protects ‘“individually identifiable health information” held or transmitted by a covered entity or its business associated, in any form or media, whether electronic, paper, or oral.” In short, if you hold on to any kind of information related to a patient’s health that could identify them, it falls under HIPAA protection. according to the Department of Health and Human Services For example, a healthcare marketing agency requires call tracking to be fully HIPAA-compliant, but can . Pulling the data for AdWords, Analytics, and for client reports could, in theory, expose the information of the client, and thus falls under HIPAA. still integrate the call tracking with Google AdWords and Analytics Who Needs to be HIPAA Compliant? Does your app or site need to be HIPAA compliant? Maybe. If it, for example, allows a patient to record their weight, and then develop an exercise routine, maintain a daily diet plan and track said plan, or look up reference information, then it probably does not need to be compliant. However, if your business is an associate of a healthcare provider, or a provider has contracted your company to create an app and associated website, then you must comply with HIPAA privacy laws. The HHS of whether your app or website will need to be compliant, as well. provided a few other examples Non-Compliance Consequences Consequences for non-compliance can be heavy. As the , a category 1 violation, which could not have realistically been avoided and measures were taken to abide by compliance rules, results in an up to $50,000 fee with a minimum fine of $100 per violation. Category 2, where the violation could not be avoided but the company should have been aware of is the same, but with a fine of at least $1,000 per violation. Category 3, willful neglect but with an attempt to correct it comes with a minimum fine of $10,000 per violation, up to $50,000. Finally, a category 4, willful neglect with no attempt at correction, results in a minimum fine of $50,000 per violation, up to $1.5 million. University of Cincinnati notes There can also be association jail time, from up to a year for a tier 1 violation such as no knowledge of the violation, to a tier 3 violation of obtaining personal information with malicious intent carrying up to 10 years in jail. GDPR You might also need to comply with the , the EU’s new privacy laws. One of the major takeaways is that you will need to provide a detailed list of all the information your site has collected or stored on a person. There are, of course, plenty of other rules from the GDPR concerning how data on your site is stored, backed up, and accessed. Be sure to check your compliance. General Data Protection Regulation How to Be Secure How do you protect your company and ensure you are in compliance with HIPAA? Most of the advice is, in general, good security advice. : Lost or stolen devices that could be used to store or access confidential data; hacking; employee dishonesty, such as accessing information they are not authorized to access; improper disposal of information; third-party disclosure without determining if the third party is also in compliance; unauthorized release of patient records; unencrypted data; lack of training; unsecured records; and word of mouth, such as discussing sensitive information outside of a confidential setting. Duquesne University lists the following as the top HIPAA violations Again, many of these have simple fixes. Your database of information should be encrypted and secured. Employees with access to patient records should use , and only employees with an absolute need should be granted authorization to access the data. complex passwords On the client end, utilize and where needed to prevent breaches. Changing from HTTP to HTTPS by using an will protect the transmission of sensitive health data. Ensure you are using a strong encryption. two-step authentication e-signatures SSL certificate If there is a breach, it’s important to follow , notifying affected individuals. If more than 500 individuals are affected, you must notify the media and the HHS Secretary. HIPAA Breach Notification Rules
