You’ve coded up this amazing piece of software that is perfect for the healthcare market. The fact that the industry’s footprint is more than $3.8 billion in the United States alone has got you seeing dollar signs.
The only problem is that your potential customers will only consider HIPAA compliant software, and you aren’t sure where or how to get started in making your product HIPAA compliant.
Reading the HIPAA regulations on the Department of Health and Human Services (HHS) website raises more questions than answers. What do you do? To help, we’ve prepared four things to consider as you work toward understanding and implementing HIPAA compliance.
A Developer’s Guide to Creating HIPAA Compliant Software – Facts vs. Myths
The first thing to determine is whether or not your business needs to be HIPAA compliant. If your software does not interact with protected health information (PHI) in any way, you can stop reading right now.
If it does, understand that there is no such thing as “HIPAA Compliant Software.” It’s not about the software; it’s about the organization that created it.
A Developer’s Guide to Creating HIPAA Compliant Software – Understanding the Process
The most important thing to remember as you begin the process of becoming HIPAA compliant is this: you either are compliant, or you are not. The HIPAA regulations are very specific about this. There is no such thing as “almost” HIPAA compliant.
The HHS has defined seven elements of HIPAA compliance that must be present.
They are:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
That doesn’t sound too difficult. But as an old saying goes, “the devil is in the details.”
A Developer’s Guide to Creating HIPAA Compliant Software – Working the Process
HIPAA compliance starts with a security risk assessment (SRA) to give you a snapshot of where you currently are in regards to data privacy and security. For a vendor supplying products or services, a complete SRA is composed of five mandatory audits:
- Asset and Device Audit
- IT Risk Analysis
- Physical Site Audit
- Security Standards Audit
- HITECH Subtitle D Privacy Audit
The information derived from these audits allows you to identify and remediate gaps.
Next, you need to have policies and procedures that support and enhance your remediation efforts. You need to provide training on those policies and procedures for all employees and maintain records of the training to prove it was done (in case of a HIPAA audit).
You also need to have signed business associate agreements (BAAs) with any of your vendors that may interact with the PHI your customer has entrusted to you and be willing to sign BAAs with your customers. If you have PHI on your physical or cloud-based servers, you are considered to be a business associate. It doesn’t matter how the data is encrypted or who holds the encryption keys.
You have to have procedures in place for incident management and breach notification, as well as a system that permits employees to report potential breaches anonymously.
Finally, you have to do this every year. If you need to make changes, your policies and procedures must be updated, and those changes must be tracked.
A Developer’s Guide to Creating HIPAA Compliant Software – Final Thoughts
If your product is a Software as a Service (SaaS), you must also address vulnerability management and your hosting environment. HIPAA requires ongoing vulnerability management as a condition of compliance.
This should include security testing to verify that everything is protecting the application appropriately in both static and dynamic contexts. It’s also wise to include penetration testing through a third party, particularly if the provider has HIPAA expertise.
If parts of your software were built with modules from different sources and you did a “plug-and-play” with them, you must ensure that your ongoing vulnerability management includes those modules as well. That requires more than just scheduled patches and updates.
You must monitor and scan for vulnerabilities so you can address them as they arise. The alternative is to watch the news around the clock and maintain a list of every module you have used in your head.
Selecting a HIPAA compliant hosting environment for ePHI is the correct first step, but that’s only the beginning. You must address the technical and administrative aspects of the HIPAA Security Rule. You also have to implement network and application security best practices to protect the ePHI you hold.
If you’re looking for more resources to guide you through the HIPAA compliance process, the Federal Trade Commission has a Mobile Health Apps Interactive Tool. You can also find Guidance on HIPAA and Cloud Computing on the HHS website.
