Healthcare is one of the most promising business sectors. Deloitte predicts that global healthcare spending will rise at a CAGR of five percent from 2019 through 2023. And according to the Peter G. Peterson Foundation, the US spends more on healthcare per individual than other wealthy countries.
In the era of digitalization, healthcare providers and their associates need to invest in advanced technologies to beat the competition. In the US, they also have to make sure they meet HIPAA requirements for software. If they don’t, it might cost them their business.
Why HIPAA violations could cost you a fortune
Because of the red tape, developing medical web app systems and mobile and desktop health applications isn’t as simple as developing other types of apps. This is particularly true for the US market, where medical IT solutions fall under the purview of HIPAA, an act pertaining to patient privacy and the security of medical data.
Federal fines for noncompliance with HIPAA requirements depend on the reasons for such noncompliance and range from $100 to $50,000 per violation (or per record). The highest possible penalty is $1.5 million per year for violations of a given provision. You can check out a list by Compliancy Group of all HIPAA fines the Department of Health and Human Services (HHS) Office for Civil Rights imposed on healthcare organizations in 2019 and 2020 (to date).
Before you start custom healthcare software development, make sure you understand all applicable HIPAA titles, or HIPAA sections, and take them into account.
Which medical apps need to comply with HIPAA rules?
There are two items in the graphic below that define whether an app will be regulated by HIPAA:
Let’s take a closer look at each of these criteria.
Entity that uses the app
HIPAA rules apply to all types of covered entities and business associates who produce, access, process, or store protected health information (PHI).
Covered entities are healthcare plans, healthcare clearinghouses, and healthcare providers who conduct certain financial and administrative transactions electronically — such as billing and fund transfers — for which standards have been adopted by the Secretary of Health and Human Services. If your app is intended to improve doctor–patient interactions, it will need to comply with HIPAA because doctors and the hospitals they work for are covered entities. But an app that simply helps a user follow a medication schedule doesn’t fall under HIPAA because there’s no covered entity involved (that is, if the patient inputs information themselves and no doctor sees it).
Business associates are all entities that store, collect, process, or transmit PHI on behalf of covered entities. These include lawyers, accountants, software providers, billing firms, cloud storage providers, and email encryption providers, and others providing service for healthcare organizations.
A covered entity has to sign a HIPAA business associate agreement with each of their business partners to ensure the security of PHI and overall HIPAA compliance. Want to know whether a particular entity is regulated by HIPAA? Check out this documentation from the US Department of Health and Human Services.
Data covered by the app
HIPAA is primarily interested in PHI, which is any medical information that can be used to identify an individual as well as data that is created, used, or disclosed in the course of providing healthcare managed services, such as diagnosis or treatment.
PHI includes two components:
- Medical data
- Personally identifiable information
Only when personally identifiable information is connected with medical data does that medical data become PHI.
Take, for instance, an app that helps physicians diagnose skin diseases by studying anonymous images. Such an application doesn’t deal with PHI, as it’s impossible to identify the patients. However, if you mention a patient’s name or address in relation to an image, all this information becomes PHI.
In short, if the information stored and shared in an app is individually identifiable (e.g. if an app contains a profile with a user’s first and last name and can be traced back to a particular patient), then the app must comply with HIPAA requirements. The same applies when all sensitive data is stored on a third-party server.
Let us suppose that the app you plan to develop falls under the purview of HIPAA. How to make software HIPAA compliant? You’ll need to meet the security requirements from the following HIPAA compliance checklist.
HIPAA Security Rule: Technical, physical, and administrative safeguards
All covered entities and business associates dealing with PHI have to implement the technical, physical, and administrative safeguards laid out in the HIPAA Security Rule on the HIPAA Security Rule.
Technical safeguards are directly related to the technology employed and cover a number of standards for healthcare software, protecting and controlling access to electronic protected health information (ePHI).
ePHI, whether at rest or in transit, has to be encrypted when it passes beyond a company’s internal firewalled servers. Encryption ensures that even if confidential information is breached, this data can’t be read, decoded, and consequently used by intruders.
Companies can choose any mechanisms they consider suitable to provide the following:
In order to discuss the access controls standard, let’s look at its implementation requirements in detail:
1. Unique user identification. The format of the user id doesn’t matter as much as the fact that no one other than the user should know it. In this regard, an email address isn’t a fitting option. Proof of identity for authentication can be implemented in the following ways:
2. Emergency access procedure. An emergency is a situation in which electrical power systems or other systems like a hospital management system have been severely damaged or rendered inoperative due to a natural or human-made disaster. In the case of an emergency, there has to be a way for covered entities to gain access to ePHI.
Audit controls and activity logs
The audit controls standard means that a medical app developer needs to implement hardware, software, and/or procedural mechanisms that record and examine activities in systems that contain or use ePHI.
The standard doesn’t explain what data you should collect or how often you should check it. Instead, it recommends you use your risk analysis system and technical infrastructure to define the most suitable audit controls for your systems.
Activity logs recording what users do with data once they access it should also be stored and should be in a human-readable format.
Addressable technical safeguards
In addition to these two required technical safeguards, there are addressable technical safeguards that allow for some flexibility. They include implementing a mechanism for authenticating ePHI, tools for encryption/decryption, and automatically logging users off of computers and devices.
Your company can provide an appropriate alternative to an addressable safeguard or can choose not to implement the safeguard at all if doing so is unreasonable.
Read also: Core Elements of Software Security
Physical safeguards cover physical access to ePHI, whether it’s stored in a remote data center, in the cloud, or on-premises. In addition, these safeguards describe how to secure workstations and smartphones from unauthorized access. There are two required physical safeguards.
Use/allocation of workstations. You have to create policies restricting the use of workstations that have access to ePHI. Steps you might take to restrict use include implementing security systems, video surveillance, and door and window locks as well as securely placing servers and PCs.
Use of mobile devices. Users accessing ePHI from their smartphones must follow policies previously implemented by the organization. For example, employees must be obliged to delete (and know how to delete) ePHI from phones if they leave the company.
Addressable physical safeguards. Addressable physical safeguards include facility access controls and hardware inventories recording each item’s location.
These safeguards dictate assigning a security officer and a privacy officer responsible for establishing measures for data protection and management of employee behavior.
Risk assessments. Your security officer must regularly perform a risk assessment to ensure ongoing HIPAA compliance. The aim of this assessment is to define how ePHI is used within your organization and to discover all vulnerabilities that might result in breaches. There must also be a sanctions policy for workers violating HIPAA regulations.
Contingency plan. You must have a plan to protect the integrity of ePHI and ensure key business processes in case of an emergency.
Third-party access. Make sure unauthorized parent companies and subcontractors can’t access ePHI. This also involves signing agreements with business associates who are allowed to access ePHI.
Addressable administrative safeguarding. These include training staff on how to recognize a cyber attack and on related precaution measures, periodic testing of your contingency plan, and reporting security incidents.
Steps for achieving HIPAA compliance
Follow these three steps to become HIPAA-compliant.
1. Conduct an initial risk analysis
There’s no fixed approach to performing a risk assessment, since covered entities and business associates differ appreciably in their size, process complexity, and capabilities.
According to HHS, a risk assessment aims to define risks and threats to the confidentiality, availability, and integrity of all PHI that a company produces, obtains, maintains, or shares.
To properly perform such an assessment, HHS suggests that a company should:
2. Eliminate HIPAA compliance risks and adjust processes
Once you have the results of your initial analysis indicating that there are risk factors you should address in your processes, you can proceed to adjusting those processes.
Start with solving smaller compliance nonconformities, then turn to larger ones. For example, training staff on cybersecurity measures, minimum necessary requirements, permitted uses and disclosures of PHI, and the use of two-factor authentication will help you take the right first steps.
Then you’ll be able to set more complex tasks and prioritize their fulfillment. Your purpose is to establish effective network security while training employees on the need for internal access controls and the consequences of carelessly disclosing PHI.
3. Ensure long-term risk management
Becoming HIPAA-compliant is an ongoing process that requires you to create a long-term strategy to continually manage potential security risks. This will include implementing network monitoring software. Such software can’t make you HIPAA-compliant in and of itself, but it might enable you to deal with some of your risks (provided your staff keeps up with internal access controls).
You can use several software products to monitor HIPAA compliance. But it would be much easier to implement a unified system to manage all of the abovementioned activities in one place.
In addition to healthcare software, medical devices are an essential part of the connected health trend, and a lot of people are concerned about potential privacy breaches related to data shared by these devices.
Medical devices and related rules
Keep in mind that HIPAA is not the only set of rules with which healthcare app developers should be familiar. When developing software for MedTech, medical devices sold in the US market, it’s important to make sure this software and these devices also comply with applicable Food and Drug Administration (FDA) regulations, not only with HIPAA requirements.
The FDA is responsible for protecting public health through the regulation and supervision of food safety, medications, medical devices, and everything else related to food and drugs.
From the FDA’s perspective, an mHealth app can be defined as a medical app if:
- it’s used as an accessory to a regulated medical device
- it’s used to transform a mobile healthcare software platform into a regulated medical device.
In both of these cases, FDA guidelines for medical devices will also apply to the mobile app.
Even though HIPAA and other relevant laws and regulations seem cumbersome, by complying with them and following our recommendations, eHealth developers can build future-proof infrastructures and offer innovative medical tech solutions for a booming market. We hope the checklist for software developers presented in this post was helpful for you.
Yalantis has experience developing HIPAA compliance software. You can read about how we ensured HIPAA compliance for Healthfully, a holistic solution for healthcare institutions. If you plan to create a software product that may be subject to HIPAA requirements, we can guide you down the winding road.