As a cloud-hosted health tech firm with software application(s) that interact with electronic protected health information (ePHI), you must ensure your software is HIPAA compliant.
The Health Insurance Portability and Accountability Act (HIPPA) is a US federal law that mandates healthcare organizations, including their vendors, with access to PHI to implement standard best practices to protect patient data (such as medical records) and other personal health information.
Consequences for noncompliance range from financial penalties to criminal offenses; hence, compliance with HIPAA cannot be ignored.
In this article, we dwell on how you can make your healthcare application comply with HIPAA and, more importantly, why. We also discuss HIPAA best practices and answer some of the oft-asked questions.
HIPAA Brass Tacks
Before we go any further, let’s quickly understand some standard terms used in the article.
Protected Health Information (PHI): As per HIPAA regulations, PHI is 1) identifiable demographic or genetic information related to health, 2) information on the physical or mental condition of an individual, or 3) payment or financial information related to healthcare.
Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically and generate, store, transmit and handle PHI.
Business Associate: Service providers, vendors, and entities that work on behalf of HIPAA-covered entities that involve the use or disclosure of PHI.
How to Make Your Software HIPAA Compliant?
Before we talk about how to make your software HIPAA compliant, let’s quickly understand which organizations needn’t comply with HIPAA and whether you fall in that category.
- Who is the end user of your software application? Is it a Covered Entity or a Business Associate?
- What data will it handle? Will your software be privy to PHI in any form?
If your software doesn’t interact with PHI in any form, you needn’t worry about HIPAA compliance. But if it does, you must make all efforts to ensure you comply.
In HIPAA parlance, if you are a health tech firm that builds and sells software applications that will interact with PHI, you are a Business Associate. Aside from the mandatory requirement, having HIPAA-compliant software ensures you implement some of the global best practices in information security that dovetail with other compliance frameworks.
Here’s a list of 10 things you must do to ensure you are on the right side of HIPAA.
Evaluate risks based on the type of data
You must first understand the type of data your software application will be privy to and list the potential risks against them. Know that risk assessment must be an exhaustive audit of all the risks that can impact the confidentiality, integrity, and availability of ePHI in your environment.
Conduct the risk assessment diligently as it lays the foundation for identifying and implementing security controls and safeguards that comply with the HIPAA Security Rule standards.
A thorough risk analysis should help you assess whether the controls you have implemented are reasonable and appropriate. Staff training on HIPAA is one security measure you must implement.
Collect data: Identify how the PHI enters your Business Environments (BE), where it is stored, and to whom it is transmitted. Identify and document possible threats that can result in unauthorized access or leakage.
Assess existing security measures: Assess and document existing security infrastructure. Ensure that those get configured or implemented correctly.
Determine the impact of threat: Analyze how critical the risks are to the PHI. Using qualitative or quantitative methods, measure the potential impact on your business in case of a data breach.
Determine the risk level: Assign a level of risk for each security gap. You can do this by assigning a number based on how damaging the impact could be.
Finalize document: Document the result of your risk assessment. No specific format is defined for this. The idea is to compare historical data and create a log of the same.
Evaluate continuously: Risk assessment is a continuous process. HIPAA Security Rule doesn’t specify how frequently you should do it, as this depends on the covered entity. For instance, the type of risk your solution faces could change when you deploy a new technology to develop the application, face a security incident or replace key individuals responsible for maintaining compliance.
Did you know that Business Associates must conduct risk assessments periodically (typically once a year)? Failure to do so can attract fines from the Office for Civil Rights (OCR) for noncompliance, and penalties can range from $100 to $50,000 per violation up to a maximum of $1.5 million per year for each violation.
Secure ePHI data on servers
The server (on-prem or cloud) you store your ePHI must also be HIPAA compliant. You must sign Business Associate Agreement (BAA) with them to ensure that. Typically, large cloud storage servers such as AWS, Google Cloud Platform, or Microsoft Azure offer HIPAA-compliant servers for data storage.
HIPAA encourages data minimization as a security best practice. So, ensure you only collect data that are an absolute must for the smooth running of your application and nothing more.
Encrypt data to avoid data breaches
While the HIPAA Security Rule doesn’t mandate encryption, it’s good security practice to implement one when dealing with ePHI. Even so, your risk assessment should help you determine whether you need one.
That said, even if the risk assessment doesn’t conclude using encryption as an appropriate risk mitigation measure, here’s some food for thought. If there is a potential breach, the onus of explaining your decision to the OCR of why you didn’t use encryption falls on you.
When you use encryption, remember to do so for data-at-rest as well as in transit. Store your decryption tools at a separate location per NIST standards. You can also consider Advanced Encryption Standard (AES) to protect online data transfer and Transport Layer Security (TLS) to transfer data via HTTPS safely.
Backup data and implement disaster recovery
The HIPAA Security Rule lays out guidelines on data backup and disaster recovery. You must institute a policy for the same. The policy should account for when, where and how often to back up the PHI your software interacts with.
Your data backup policy must also dwell on how to retrieve and maintain ePHI in its original form if an incident occurs (breach, theft, neglect, and more). You must also have a disaster recovery plan outlining what needs to be done during an incident.
To stay compliant, here are some measures you can implement.
Back up data as frequently as needed: You can automate this task or enable privileged access to handle it manually.
Create multiple backup copies in encrypted form: Use robust encryption systems like AES-256 and enable two-factor authentication for additional security.
Facilitate real-time auditing solution: Implement real-time monitoring of backed-up data, continuously test the restoration processes, and track changes made to PHI to identify unauthorized access and audit event logs based on user roles.
Create a disaster management feature: To limit the business risks in case of a mishap, create a recovery process for business continuity in case of a disaster and which systems to restore first.
Dispose of old data
You must have procedures to dispose of ePHI permanently such that it isn’t recoverable or accessible to the public. Your software must include the feature to safely dispose of old data when needed.
- Encrypt the data before deleting it to prevent its decryption
- Overwrite sensitive data with non-sensitive ones
- Exposes the data to strong magnetic fields to destroy the recorded data
Ensure data deletion happens across all devices and in all forms (physical, electronic, and backup).
Provide authorized access only
Your software must implement access management to limit the access of PHI to only those authorized to see or use it. Maintain activity logs to identify unauthorized access or attempts.
Some of the best practices that you should incorporate into your application are:
Authenticate user accounts
User authentication ensures that only authorized users gain access to the ePHI in your environment by preventing unauthorized users from gaining access. User authentication checks for the identity of a user trying to access your software or sections.
You could consider any of the following based on the risks identified for the ePHI in your system:
- Password-based authentication
- Multi-factor authentication
- Certificate-based authentication
- Biometric authentication
- Token-based authentication
In the past few years, companies like Adobe, Equifax, and Yahoo have suffered significant data breaches because they failed to secure user authentication processes.
Ensure integrity and audit
HIPAA-compliant software must incorporate technical and administrative safeguards to ensure ePHI integrity, such as access control, MFA, encryption, and more.
The software must also enable covered entities to track and audit the activities in the system that are exposed to ePHI to protect it from unauthorized access or attempts.
Integrity controls prevent improper ePHI alteration or deletion. Audit controls reduce the risk of inappropriate access, unauthorized tracking and disclosure of PHI.
Implement the right security policies
Having HIPAA-compliant software doesn’t guarantee compliance. It is up to the users to ensure the software gets used in a HIPAA-compliant manner.
Your Business Associate Agreement with the covered entities would list the security measures and protocols required of you to ensure the integrity, security, and confidentiality of PHI don’t get violated.
HIPAA mandates covered entities to only work with accountable business associates with whom they have signed agreements towards protecting PHI.
You must implement security policies as outlined in your BAA. Typically, these would include:
- 2FA or MFA
- Automatic session kills
- Encryption and decryption
- Intrusion detection
- Staff training on HIPAA
- Password security
Implement remediation plan
You must have a remediation plan to address potential breaches and limit the damage they can cause. The remediation plan should help detect the cause and trigger an automated kill process.
It must put processes in place to solve the root issue(s) and implement mitigation solutions to get your operations back on track.
Also check out: A Complete Guide on HIPAA Certification
Five HIPAA rules every healthcare software must adhere to
HIPAA outlines the five rules every healthcare software provider must adhere to:
Here’s a brief on these rules and how to abide by them.
HIPAA Privacy Rule
By law, the HIPAA Privacy Rule applies only to covered entities, and most of the Privacy Rule provisions don’t directly apply to Business Associates.
But as a Business Associate, you would still be liable to protect the privacy of PHI in your environment as outlined in your BAA with the covered entity.
HIPAA Privacy Rule gives individuals certain rights over their medical information, such as the right to access data, the right to make corrections, and the right to file complaints if data is misused or shared without consent.
As a Business Associate, you must understand the Privacy Rule requirements. You must also be aware of any additional limitations the covered entity may have imposed on itself through its notice of privacy practices or agreements with individuals.
Typically, these get covered in the BAA.
HIPAA Security Rule
If the HIPAA Privacy Rule deals with PHI, the HIPAA Security Rule deals with ePHI. Broadly speaking, the Security Rule requires a Business Associate to implement three types of safeguards.
- Technical safeguards are policies and procedures that ensure sufficient access control, integrity controls, and security for data transmission.
- Administrative safeguards entail organizations documenting their security management process, analyzing risks to ePHI and implementing security measures to mitigate the risks.
- Physical safeguards are related to measures and policies that protect PHI on electronic devices, systems, equipment, workstations, and buildings.
HIPAA Enforcement Rule
HIPAA Enforcement Rule establishes the directives for compliance, investigation, and penalties for HIPAA violations.
It details the procedures and monetary fines for imposing civil penalties based on the investigation conducted by the OCR to determine if the Covered Entity or the Business Associate complied with the HIPAA Security and Privacy Rule.
OCR-led investigations typically get triggered due to a complaint or a data breach.
Breach Notification Rule
HIPAA Breach Notification Rule requires Business Associates to notify of a PHI breach within 60 days of becoming aware of the breach.
The notice must include all the details the covered entity needs for breach reporting, such as a comprehensive description of the breach, the type of data compromised, measures the affected individuals should take, and more.
That said, look for specifics on this in your BAA. Covered Entities may require a faster notification of a breach and could incorporate the same in your BAA.
The HIPAA Omnibus Rule updates the previously passed HIPAA rules on Security, Privacy, Enforcement, and Breach Notification.
It comprises changes concerning Business Associates and their subcontractor liability and makes them more accountable for PHI use, disclosure and security.
Business Associates and their subcontractors are liable to face HIPAA enforcement actions following violations of the HIPAA Security Rule and specific provisions of the Privacy and Breach Notification Rules.
As a Business Associate, you are liable for the following:
- Impermissible uses and disclosures of PHI
- Failure to comply with HIPAA Security Rule
- Failure to provide access to PHI to the Covered Entity
- Failure to provide an accounting of disclosures
- Failure to provide Breach Notification to the Covered Entity
- Failure to enter into BAAs with subcontractors that create or receive PHI
- Failure to take reasonable steps to address a material breach of BAA by subcontractors
- Failure to make reasonable efforts to limit the request, use, or disclosure of PHI to the minimum necessary
- Failure to disclose a copy of ePHI to the covered entity, the individual, or the individual’s designee to enable the covered entity to comply with the patient’s right to access
- Retaliating against individuals for filing a HIPAA complaint, participating in an investigation
- Failure to disclose to the Department of Health and Human Services (HHS) as required
- Civil Money Penalties for HIPAA violations
How to become HIPAA compliant as a software company?
Your compliance efforts must include more than ensuring HIPAA compliance for software development. It would help if you made efforts to remain HIPAA-compliant post-development too.
Here are some critical measures you must implement to ensure continued compliance.
Regular audits help you track who, when and from where PHI gets accessed. It’s a good practice to keep track of details like:
- Use wise access to data
- How much and what data can they edit
- Record of which data got accessed, the date, and the device’s IP address
- Date updation and deletion details
You must record and review audit logs for consistent HIPAA compliance and safeguarding of all ePHI.
Compliance automation platforms such as Sprinto help you stay on top of all this by ensuring your audit trail is maintained and accessible in-app.
Plans for remediation
As mentioned earlier, a remediation plan can help you investigate breaches effectively and limit the damage. An auto-remediation program that can respond to several ‘what if’ scenarios can help here.
A comprehensive remediation plan will help you:
- Immediately remove all unauthorized access to PHI and change passwords
- Contact your compliance officer to help you take appropriate actions
- Investigate the breach in detail to understand the severity of the damage. Confirm details like who was affected and how much.
- Document your investigation and notify the affected parties
- Implement appropriate measures to avoid a similar incident in the future
Like all compliances, HIPAA is heavy on documentation too. So, at every step, thoroughly document policies, procedures, incidents, and training modules.
The documents should be comprehensive, easy to understand, and well-structured. Remember, these documents serve as proof of compliance and accountability – if something isn’t documented, it implies it isn’t done.
Management of business relationships
To remain compliant, you must ensure that a BAA binds your vendors and subcontractors with access to PHI. You will likely have multiple BAAs signed with several Covered Entities.
Ensure you sign a BAA with Covered Entities only when you have access to PHI and fully understand the liabilities and obligations under the BAA.
Aside from what’s already been covered, here are some other measures you can take to ensure the security of the PHI in your environment.
- Log users out following a specific period of inactivity
- Push notifications or pop-ups should not contain PHI
- Role-based PHI access
- Intrusion detection
Find out how Sprinto helps Business Associates become HIPAA compliant
We understand it’s a lot to manage business growth on the one hand and ensure HIPAA compliance on the other. Sprinto is built to make complying with HIPAA effortless.
Sprinto enables you to adhere to the HIPAA rules, flag off alerts, train, and track employee training, build security policies and ensure employee acknowledgment, maintain audit trails, and conduct annual risk assessments – from the comfort of its platform.
With minimal effort from your team, Sprinto automates evidence collection and documentation, ensuring repeatable tasks get down by themselves. Reviews of audit logs, compliance status, policies, and documentation can all be done within the Sprinto app.
Talk to us about how you can breeze through your HIPAA compliance.
What is required for the software to be HIPAA compliant?
A lot of what is required for your software to be HIPAA compliant will be dictated by the Business Associate Agreement (BAA) you sign with the covered entities.
That said, based on the risk identified for the PHI in your environment, you can consider safeguards, such as data encryption, remediation plans, documentation, audit and integrity controls, and MFA to protect the PHI and avoid penalties for noncompliance.
Why is it important that a software vendor understand HIPAA rules?
If your software interacts with PHI, it is essential to understand HIPAA rules and implement the required controls to protect PHI and avoid the financial and legal consequences of noncompliance.
Are apps subject to HIPAA?
If the healthcare app collects or maintains PHI data in any capacity, it is subject to HIPAA.