Hackernoon logoYour Guide To HIPAA IT Compliance (Plus A Security Checklist) by@stfalconcom

Your Guide To HIPAA IT Compliance (Plus A Security Checklist)

Author profile picture

@stfalconcomoleksandra liubytska

Marketing Specialist

In this article, we will analyze the American Health Insurance Portability and Accountability Act (HIPAA) and HIPAA compliance software requirements. The article will be useful for the developers of medical software for the USA market. We will discuss:

  • What kind of¬†information needs protection according to¬†HIPAA;
  • How exactly HIPAA regulates data protection;
  • What it¬†has to¬†do¬†with¬†IT companies;
  • What the consequences of¬†HIPAA violation are;
  • How to¬†meet HIPAA compliance software requirements;
  • What pitfalls you should be¬†aware of¬†when developing HIPAA compliant solutions;
  • How HIPAA software security requirements correlate with European legislation.

We will also provide you with a HIPAA compliance checklist for information technology companies.

Software development goes hand-in-hand with enforcing legislation of a particular country. Non-compliance to the law can lead to serious consequences, including penalties and bans on software use. The software is regulated at the national level in the Healthcare industry. Each country has its own regulatory documents for the development of medical digital solutions. They are, for example, HIPAA in the USA, GDPR in Europe, PIPEDA in Canada, and so on. Observing these standards is important for successful software implementation and circulation.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was first put into effect in 1996. Its task was to modernize the flow of health-related data and to protect it from fraud and theft. Since then, the Act has undergone a number of changes (with the latest being put into action in 2020). The HITECH Act adopted in 2009 expanded HIPAA regulations in the sphere of technology use.

HIPAA compliance regulations constitute a set of regulatory standards that outline the lawful use of protected health information (often abbreviated as PHI). Companies that deal with such information should ensure that sensitive patient data is not misused. They should imply administrative, physical, and technical safeguards, as well as specific technical policies, and network security.

Administrative safeguards are policies and procedures bound to the security management process. They include risk analysis and management, workforce security, information access management, and security awareness and training.

Physical safeguards stand for physical actions that ensure facility access limitations. Such limitation is set on transferring, disposing of, removing, and reusing electronic protected health information (ePHI).

Technical safeguards include best practices for protecting data and systems with the help of technology. They control access to ePHI so that only authorized users can deal with sensitive patients’ data. Technical safeguards include network encryption, access control, activity audits control, integrity, person or entity authentication, and transmission security.

Technical policies include integrity control, IT disaster recovery, and offsite backup procedures. They ensure quick remediation of electronic media errors or failures and accurate recovery of patients’ data.

Network security concerns various methods of data transmission via the Internet or private networks.

What Kind of Health Information Needs Protection?

Protected health information (PHI) is any demographic information that can be used to identify a person. It includes any structured and unstructured data, such as names, addresses, emails, phone numbers, medical records, bank accounts, billing information, insurance information, video, audio chats, photos, scans, etc.

Since nowadays most of the operations with patient’s data are computerized, the new term, electronic protected health information (ePHI) is used. Common examples of ePHI applications are computerized physician order entry systems (CPOE), electronic health records (EHR), therapeutic apps, and various telemedicine solutions. Companies include ePHI associated with their activities into their HIPAA compliance requirements checklists.

How does HIPAA Regulate Data Protection?

As at present, HIPAA constitutes a set of rules, such as Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, Enforcement Rule, Minimum Necessary Rule, Access Controls, etc. On the ground of these rules, providers form their HIPAA compliance audit checklist, which developers of IT solutions should be aware of.

The HIPAA Privacy Rule is also known as Standards for Privacy of Individually Identifiable Health Information, this Rule sets standards for patients’ rights concerning PHI. They include the right to access PHI, the right to receive a notice of privacy practices, etc. These standards also give recommendations for privacy training and corruption prevention.

The HIPAA Security Rule is also referred to as the Security Standards for the Protection of Electronic Protected Health Information, this Rule sets standards for secure maintenance, transmission, and handling of ePHI. It outlines administrative, physical, and technical safeguards that all healthcare providers should meet. HIPAA Security Rule, especially technical safeguards listed in this Rule, is of great importance for software developers.

The HIPAA Breach Notification Rule describes steps companies should follow in case of a data breach. It outlines the notification process and describes the necessary elements of the breach notification message.

The HIPAA Omnibus Rule outlines the rules for Business Associate Agreements, the contracts that must be executed before transference of the data.

The HIPAA Enforcement Rule governs the investigations following a breach of PHI and penalties imposed for safety procedures violation.

The Minimum Necessary Rule states that employees should only have access to the minimum PHI needed to perform their job duties.

What does HIPAA have to do with IT Companies?

HIPAA data security requirements apply to two categories of organizations: covered entities (these include healthcare providers, etc.) and business associates (organizations or individuals who act as vendors or subcontractors and in this role have access to PHI).

Business associates group comprises of data processing and data storage companies, data transmission providers, etc. A healthcare provider should enter into a Business Associate contract with you, and you also become responsible for meeting HIPAA software security requirements.

HIPAA Violation Consequences

HIPAA compliance is obligatory for all healthcare providers on the territory of the USA. Any violation of HIPAA regulations is subject to penalties. HIPAA Enforcement Rule describes four levels of regulations violation, from unaware violation to willful neglect unmitigated within 30 days. The fines vary from $100 to $50,000 USD.

Apart from monetary sanctions, HIPAA compliance regulations violation can have a significant negative effect on the provider’s reputation. Companies that violate HIPAA can face sanctions from professional boards and face criminal charges up to imprisonment. The most common violations in terms of the software include the lack of protection of patients’ records, inability to access patients’ records, misuse, and unauthorized disclosure of PHI. You may also use HIPAA compliance reports as a guideline.

HIPAA Compliance Regulations and Software Development

For IT companies specializing in the development of medical digital solutions, HIPAA compliance is crucial. Yet, it might be difficult in the beginning to understand how all the above-mentioned regulations relate to software development. So, let’s translate them into software features mandatory for the HIPAA security compliance checklist.

Documentation processing mode

Documenting every single step is an inevitable routine for medical professionals. Efficient software facilitates documentation processing and secures data storage.

Utilized audits

Regular audits are an integral part of the healthcare providers’ work. Thus, medical companies need utilized audits that help to analyze risks and errors in data processing. HIPAA regulation does not identify what exact data should be audited or how often the audit control should take place. So, rely on the specificity of the client’s business as a guideline.

Remediation plan

According to HIPAA compliance regulations, every business dealing with PHI should have a recovery plan in case something happens to patients’ data. It should cover major tasks for securing data, a plan for preventing security risks, and documentation on completed and scheduled safety procedures.

Meeting Omnibus Rule regulations

In case a healthcare provider has contractors managing ePHI, the company’s software should be able to monitor the agreements connected with entrusting clients’ data to business associates.

Security

Good software should prevent data breaches, and create automated reports in¬†case of¬†unwelcome interference. A¬†key component of¬†secure health data management is¬†data encryption. For health solutions, encrypting data ¬ęon¬†the wire¬Ľ and ¬ęat¬†rest¬Ľ is¬†a¬†good option, though, some companies divide data between PHI and non-PHI systems and apply higher security standards to¬†the former.

Emergency access procedure

Facilities for informing staff and patients in case of threats and emergencies should be utilized. Unique user authentication for HIPAA compliant software, multi-factor authentication (at least, two-factor) is strongly recommended. It is better if the system eliminates the possibility of accessing an account from multiple locations or devices simultaneously.

Role-based access control

Though the way to meet the HIPAA access control standard is not specified in the documentation, it is easiest to meet HIPAA data security requirements with role-based control. According to this method, each user’s role allows access only to such amount of data that is necessary to perform the corresponding job duties.

Automatic logoff

The screen should automatically log off when left unattended for a certain period to prevent unauthorized access to data. It better if this feature is implemented into configuration settings.

Solution comprehensiveness

Health solutions should be comprehensive and user-friendly for medical staff. It will prevent unintentional violations of security procedures and data breaches.

Potholes in the Development of HIPAA Compliant Software

Meeting all above mentioned HIPAA software requirements is an important step towards high-quality software development. Yet, you should understand that mere implementation of these features will not necessarily prevent you and your client from HIPAA violation. You need to make it clear for the client that, when used improperly in clinical settings, the solution can fail to maintain HIPAA compliance regulations even if it comprises all necessary features.

The medical staff should be instructed and trained to use clinical software. Strong and long-lasting technical support is also highly recommended. Some experts also warn about the security threats that can occur in the case of scaling digital healthcare solutions. It is important to consider HIPAA compliant server requirements for information storage.

HIPAA and European Healthcare Software Regulations

You should take into account HIPAA regulations only govern developing digital solutions for the USA. To improve clarity, let us see how it corresponds to European standards.

In the European Union, data protection is ensured by the General Data Protection Regulation (GDPR). The GDPR covers all data from which a person can be identified, whether directly or indirectly. Thus, GDPR covers a larger amount of data compared to HIPAA data security requirements, including ethnic origin, religious beliefs, sexual orientation, etc.

In terms of health data, GDPR and HIPAA are similar, though while HIPAA is mostly focused on organizations that handle PHI within the USA, GDPR has a much broader scope of coverage and protects the personal data of European citizens -- not only on the territory of the EU but elsewhere.

This is, by the way, an important notion for American healthcare organizations that handle EU patients’ information. Does it impose any additional demands on software development in Europe compared to the USA? Indeed, yes. Consider, for example, such interesting obligatory functions as pseudonymization by default or the right to be forgotten. But this is a good topic for another article. So far, it will be enough to understand that different countries have different legislation overlapping software development.

HIPAA Compliance Software Checklist for Developers

So, here is a HIPAA data security checklist we use in our practice. It contains the following features:

  • Is unique user authentication applied to track user activity with PHI?
  • Does access control mode restrict users‚Äô access to PHI that they don‚Äôt need for performing their job duties?
  • Is there a recovery plan and does it envisage any possible incidents?
  • Does emergency access mode provide appropriate access to ePHI in the case of an emergency?
  • Do activity logs and audit controls function properly and correspond to the specificity of the client‚Äôs workflow?
  • Does the solution have an automatic logoff feature?
  • Is the integrity of data ensured?
  • What data encryption and decryption mechanisms are applied? Are they relevant?
  • Can data be easily restored? How is data backup organized?

To Sum Up

The development of reliable healthcare solutions that comply with national regulations is not an easy thing. One should keep in mind various requirements and features.

Previously published at https://stfalcon.com/en/blog/post/hipaa-itcompliance

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.