Audit your healthcare software for HIPAA compliance

Healthcare IT Data Governance

National regulations for safeguarding patient health data are established by the Health Insurance Portability and Accountability Act.

This act offers guidelines for the provision of individual health records in electronic formats, with the aim of safeguarding the privacy and security of PHI. Although compliance with HIPAA is generally required for any organization that handles PHI, there may be certain exceptional circumstances in which it is not necessary.

Introduction to HIPAACompliance


HIPAA compliance encompasses meeting a set of prerequisites, modifications, and any other associated laws like HITECH.

Our assistance involves aiding organizations to establish their technology strategy aligned with HIPAA requirements and facilitating the creation of applications that comply with HIPAA regulations.

The architecture of a HIPAA/GDPR-compliant solution

Covered Entities

Starting with the basics, there are four different types of covered entities:

Health Plans

Examples of entities that provide healthcare coverage include health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, government-funded healthcare programs, and healthcare programs for military personnel and veterans.

Health Clearinghouses

Organizations that handle healthcare data that is not in the standard format, which is received from other entities.

Business Associates

A covered individual or organization that carries out operations or tasks related to using, disclosing, or providing protected health information (PHI) on behalf of or in service to a covered entity.

Healthcare Providers

Healthcare providers such as physicians, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit any electronic transaction information, for which the Department of Health and Human Services (HHS) has established a standard.

Other Entities under HIPAA

You may assume that your healthcare application does not fall under the purview of such companies, but here’s the catch:

If your app gathers, utilizes, or stores protected health information (PHI) of its users and shares this information with any covered entity, your business and product must comply with HIPAA regulations.

HIPAA Compliance Requirement

The HIPAA compliance requirements are intentionally ambiguous to ensure their applicability to any Business Associate or Covered Entity that handles PHI, making it difficult to provide an exact definition.

This rule comprises the standards necessary to secure and safeguard electronically generated, processed, accessed, or stored PHI both in transit and at rest. It applies to any individual or system with access to confidential patient information. The Security Rule is divided into three components:

1.Technical safeguards:

It pertains to the technology requirement that mandates ePHI (whether in storage or in transit) to be encrypted according to NIST standards once it leaves the organization’s internal firewall servers. This ensures that patients’ data becomes unreadable, indecipherable, and unusable in the event of a breach.

Organizations have the liberty to select the most suitable mechanisms for:

– Implementing a means of access control (Required)

– Introduce a mechanism to authenticate ePHI

– Implementing tools for encryption and decryption

– Introduce activity logs and audit controls (Required)

– Facilitate automatic log-off of PCs and devices.


2.Physical Safeguards:

The emphasis is on securing physical access to ePHI, regardless of its storage location, which could be the cloud, a remote data center, or servers situated within the premises of the HIPAA Covered Entity. Additionally, guidelines are provided on securing mobile devices and workstations against unauthorized access by performing the following actions:

– Implementing facility access controls

– Defining and implementing policies for the use and positioning of the workstations (Required)

– Implementing policies and procedures for mobile devices (Required)

– Maintaining an inventory of all hardware


3.Administrative Safeguards:

These policies and procedures merge the Privacy Rule and the Security Rule, mandating the appointment of a Security Officer and a Privacy Officer to implement the measures for safeguarding ePHI. The administrative safeguards comprise:

– Conducting risk assessments (Required)

– Introducing a risk management policy (Required)

– Training employees to be secure

– Developing a contingency plan (Required)

– Testing the contingency plan

– Restricting third-party access (Required)

– Reporting security incidents

The Privacy Rule establishes national standards for preserving the confidentiality, integrity, and accessibility of PHI. It outlines the permissible uses and disclosures of ePHI and is applicable to healthcare organizations, health plan providers and their staff, healthcare clearinghouses, and Business Associates of covered entities.


The Privacy Rule mandates that adequate safeguards are put in place to safeguard the privacy of PHI and that limitations and conditions are established for the use and disclosure of patient information without their authorization. Patients (or their representatives) are granted rights over their health information, including the right to obtain a copy of their medical records, review them, and request modifications.


Covered Entities must respond to patient access requests within 30 days, and Notices of Privacy Practices (NPPs) must be issued to inform patients about circumstances under which their data may be shared or used.

Under this rule, Covered Entities are obligated to promptly notify patients of any PHI breach, no later than sixty days after discovery, without unreasonable delay.


Additionally, entities must notify the Department of Health and Human Services if the breach affects over five hundred patients, and issue a notice to the media. Smaller breaches must be reported via the OCR web portal. The notification should include information regarding the nature of the PHI involved, the unauthorized individual who accessed or used the PHI, the extent of the risk of damage, and whether the PHI was actually viewed or acquired.


When notifying a patient of a breach, Covered Entities must provide instructions on how to safeguard against potential harm, describe the steps being taken to investigate the breach, and detail the measures taken so far to prevent further security incidents.

The Omnibus Rule was implemented to tackle issues that were previously neglected by prior HIPAA updates. It aimed to bring clarity to policies and procedures, redefine certain terminologies, and broaden the scope of compliance to include Business Associates and their subcontractors.

The Enforcement Rule of HIPAA includes regulations related to investigating PHI breaches, determining penalties, and conducting hearings. Penalties for violations are determined based on the category of the breach, the number of exposed records, the potential risk to individuals, and the level of negligence displayed.

What Constitutes PHI

Any health-related data that can identify an individual, whether in the past, present, or future, and that is stored, transmitted, or maintained by a HIPAA-covered entity is classified as Protected Health Information (PHI). The classification of health data as PHI depends on its potential to identify an individual, and when all such identifying features are removed, it ceases to be PHI and is no longer subject to HIPAA regulations. To be precise, any information related to an individual’s health is considered PHI if it contains any of the 18 specific identifiers.

Looking to design and develop a health tech software solution?