Developers are often tasked with creating software governed by national standards, such as the Health Insurance Portability and Accountability Act (HIPAA), designed to protect the privacy of individuals.
What are HIPAA Covered entities?
Software solutions must comply with HIPPA rules to protect PHI and ePHI. This includes software used in healthcare organizations such as hospitals, clinics, and health plan and insurance providers, as well as third-party service providers.
Healthcare providers, such as hospitals, are referred to as “Covered Entities,” and all personnel with access to PHI are referred to as “Business Associates.”
When Does A Software Need HIPAA Compliance?
Software that handles PHI must comply with HIPAA regulations. HIPPA demands complete privacy of information on health plans, insurance, and individually identifiable health information. The security risks of handling PHI (personal health information) electronically require all institutions to follow national standards and rules.
Subjects of HIPAA
HIPAA regulations cover several areas, including privacy, security, and data breaches. The privacy rule sets standards for access and disclosure of PHI, while the security rule sets standards for protecting ePHI (electronic protected health information). In the event of a data breach, HIPAA requires that entities take specific steps to mitigate harm to affected individuals.
Cases for HIPAA Compliance in Software Development
As a software developer, you may encounter two types of clients requiring HIPAA compliance in their software:
- One who is adapting existing software to the US market.
- One who is developing new software targeted at the US healthcare market.
Understanding these two cases is crucial to ensure you can deliver a compliant solution to your clients, keeping their confidential information secure and avoiding penalties for HIPAA violations.
Adapting existing software to the US market
In this scenario, your client may already have a working software application outside the US, but they want to expand it to the US market. For example, a telemedicine application widely used in Europe needs to achieve HIPAA compliance to be used in the US.
Additionally, your client may have a software solution unrelated to healthcare, but they want to extend its functionality to cover this industry. This is a common scenario for various ERP, CRM, messaging systems, and video conferencing apps. An example of this scenario is the popular messaging app, Zoom, which offers HIPAA-compliant healthcare plans starting at $200 per month.
Developing a new software targeted at the US healthcare market
If your client has a new idea for a medical app, it is crucial to understand the significance of HIPAA compliance. The Department of Health and Human Services and its Office for Civil Rights (OCR) have issued 77 penalties for HIPAA violations as of 2020, leading to over $117 million in fines. It’s imperative to ensure that your software is HIPAA-compliant to avoid these penalties and protect your client’s confidential information.
HIPPA Compliance to protect PHI
The confidentiality of PHI and ePHI is of utmost importance, and a breach of sensitive information can cause financial and reputational harm, as well as blackmail or extortion.
PHI and ePHI can be identified by several categories of personal information or information that can reveal a patient’s identity.
The following list provides a general overview of the information in health insurance records that must be protected under HIPAA rules and health insurance regulations:
- Names of patients and medical personnel
- Physical and email addresses, zip codes, and Internet Protocol (IP) addresses
- Dates of patient encounter with healthcare facilities (birth and death dates, doctor visits, hospital admissions/discharges)
- Contact information (phone and fax)
- Document identifiers (social security, insurance cards, medical records, bank accounts, licenses, certificates, etc.)
- Photographic and medical imagery
- Identifiers for devices and vehicles (serial numbers, license plate numbers, etc.)
- Personal identification using biometric data (fingerprints, retina scans, voiceprints, voice recordings)
The best practices for building a HIPAA-compliant AWS infrastructure
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which focuses on electronic health records, supplements HIPAA. Moreover, the original HIPAA Privacy Rule, which established the foundation for medical record protection, has undergone amendments and additions through the Security Rule of 2005 and the Omnibus Rule of 2013 to keep up with technological advancements. There will likely be further updates to HIPAA and related acts.
Comprehensive Checklist To Verify That Your Software is HIPAA Compliant
Before transmitting any Protected Health Information (PHI), it must be encrypted for security purposes. HIPAA-compliant software uses SSL and HTTPS protocols to encrypt sensitive electronic protected health information and data during transmission.
Using these protocols to secure pages containing or displaying protected patient information and health records or protected health information data and login pages is recommended.
The use of non-secure versions of these pages should be avoided. It is also critical to ensure that the HTTPS protocol is correctly configured and that there are no obsolete or insecure TLS versions. Passwords can also be transmitted and stored securely through hash values and intense, complex passwords.
Backup and Storage Encryption
Backup and recovery services are often provided by hosting providers to prevent data loss in the event of an accident or emergency. However, ensuring a security rule that only authorized people can access sensitive PHI is critical.
The privacy and security rules include all data stored in the software system, such as sensitive patient data, medical records, databases, backups, and logs.
Data stored in places beyond the user healthcare provider’s control must remain encrypted and inaccessible to unauthorized personnel, even if the privacy and security rules of the healthcare provider or server are compromised.
Industry-approved encryption utilizing algorithms such as AES and RSA, along with essential keys (256 bits for AES and at least 4096 bits for RSA), is recommended to achieve this criterion. Alternatives like a PostgreSQL manager with built-in data encryption are also viable options.
Encrypted managed databases in public clouds, such as Cloud SQL in the Google Cloud Platform or Amazon Relational Database Service (RDS), can also be used.
Identity and Access Management
Passwords and user IDs must be kept private and never shared between employees. System logs, including access and event logs, should be retained to track login attempts and changes to PHI.
- To validate an individual’s identity and ensure that only authorized users have access to sensitive data, two-factor authentication (2FA) is advised.
- Emerging technologies such as Single-Sign-On (SSO) allow users to sign in once and access various applications and websites without having to sign in again, making it easier for healthcare professionals to access user data quickly and efficiently while maintaining privacy.
- Biometric identification systems such as fingerprint, face, or voice recognition are becoming more popular. However, these technologies must be supplemented by advanced anti-spoofing techniques and liveness detection to prevent hackers from imitating another person’s biometrics. Multimodal biometric authentication systems, which require more than one type of authentication, provide an extra degree of protection.
- Attribute-Based Access Control (ABAC) manages user role complications that enable dynamic and context-based access to diverse places, apps, and resources based on attributes rather than persons and actions. This is more adaptable, especially for changing structural norms over time, and it eliminates problems with traditional role-based authorization where roles overlap.
Protecting the information collected, stored, and transferred is critical to protect against harm or illegal alteration. Even if only one piece has changed, the system must be able to detect and notify any unlawful data modification. PGP and SSL digital signatures and verification methods can be used to sign and verify each piece of data saved or sent into the system. The system must also be developed and constructed to prevent illegal data access.
The HIPPA-compliance checklist mentioned above and other data security rules and process security measures are absolutely necessary regarding compliance programs in the healthcare industry and software development.
Thus, healthcare institutions must emphasize protecting their patient’s privacy and security rules for their sensitive patient data and care data, implement security measures, and collaborate with developers to retain their patients’ trust.