Are You Developing a HIPAA Compliant App?
HIPAA was enacted in 1996 to set regulatory standards outlining the lawful use and maintenance of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. HIPAA regulation is best implemented through a culture of compliance that healthcare organizations must incorporate into their business operations in order to protect the privacy and security of PHI.
However, HIPAA compliance is not only applicable to healthcare providers–known as covered entities under the law. The regulation also identifies business associates. A business associate is any organization that provides services to another HIPAA-beholden entity regarding the use of PHI. That includes any organization that provides IT services, IT infrastructure, mobile app development, and web portal development, to name a few. HIPAA regulation requires that a business associate agreement (BAA) must be executed before any information is shared with a business associate–including healthcare apps that maintain ePHI.
In addition to properly executing BAAs, HIPAA compliant healthcare apps must also address the Seven Fundamental Elements of an Effective Compliance Program.
The Seven Fundamental Elements of an Effective Compliance Program represent the barebones requirements that HIPAA compliant apps must have in place in order to address HIPAA privacy and security standards. The Seven Elements include:
- Implementing written policies, procedures and standards of conduct
- Designating a compliance officer and compliance committee
- Conducting effective training and education
- Developing effective lines of communication
- Conducting internal monitoring and auditing
- Enforcing standards through well-publicized disciplinary guidelines
- Responding promptly to detected offenses and undertaking corrective action
The HIPAA Security Rule sets specific standards for maintaining the confidentiality, integrity, and availability of PHI. HIPAA compliant apps looking to properly address security to protect ePHI must implement the standards outlined by the following three HIPAA security safeguards:
- Technical safeguards deal with cybersecurity and network infrastructure, such as firewalls, encryption, and malware protection.
- Physical safeguards are the protections to limit and control access to physical work sites where ePHI is housed or maintained, such as locks or alarm systems.
- Administrative safeguards are all about policies, procedures, documentation, and staff training to ensure that the workforce is properly following security standards throughout the organization.
When it comes to developing a HIPAA compliant app, various components of the technical and physical safeguards demonstrate what must be included throughout the software development process.
Making Your App HIPAA Compliant!
Regardless of whether you are running a healthcare practice or developing a HIPAA compliant app, you must address the following standards to ensure that you are protecting sensitive data.
HIPAA Technical Security Safeguards include:
Access controls allows only authorized persons to access ePHI with the proper implementations in place, including:
- Unique User Identification- Software systems must provide unique identification so that each user has their own login credentials. In addition, employees must not use a shared username or password to login.
- Emergency Access Procedures- There should be a way to access necessary ePHI during an emergency.
- Automatic Logoff- The system must automatically log the user out of their session after a specific duration of time.
- Encryption and Decryption- All ePHI that is stored on the app or software system must be encrypted.
HIPAA compliant apps must implement hardware, software, or procedural mechanisms that examine and track the activity in the system containing ePHI.
In order to ensure that ePHI within the HIPAA compliant app is not unintentionally modified or corrupted, there must be mechanisms in place to protect the integrity of the information. Integrity as defined by HIPAA regulation is the assurance that the information being accessed is not damaged, lost, or in any way unintentionally modified.
This is meant to prove that the person who is logging onto the system or app is actually the person they say they are.
When transmitting ePHI over the internet or any communication network, all data must be encrypted and specific mechanisms must be implemented to ensure that the transmitted data was not altered.
As a healthcare organization or IT provider, physical safeguards are important in order to protect ePHI that can be potentially accessed. The HIPAA physical security safeguards include:
Facility Access Control
These will physically limit access to the facility where ePHI is stored, allowing only those with authorization to access ePHI. In addition, implementing facility access control policies and procedures can prevent unauthorized users from accessing the hardware.
Any device used as a workstation such as laptops, smart phones, tablets, etc. must be logged off before leaving the area unattended. Antivirus software should be up-to-date and devices that leave the premises should have the proper technical safeguards in place.
Computer monitors should not be made viewable to anyone other than the employee using the system. All systems must have password-enabled screensavers.
Device and Media Controls
If disposing of software that contained ePHI, all data should be wiped to ensure that all sensitive information is removed. In regards to HIPAA compliant apps, any healthcare data must be deleted from the device.
These are safeguards that manage the development, implementation, and maintenance of security measures to protect ePHI.
- Information Access Management is important when developing HIPAA compliant apps to provide access to only relevant ePHI.
- Specific users should have access only to ePHI that is relevant to their job function and should not be able to access other ePHI for a given patient.
- There must be regular training for employees to familiarize them with security policies with respect to ePHI.
- In the event of a breach, a contingency plan must be implemented to notify affected parties.