Making Your App HIPPA Compliant

On 06-28-2021

Nowadays making your healthcare App HIPPA compliant has become most important thing to protect patient's health information. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

Protected health information (PHI) :

The US Department of Health and Human Services defines 18 classes of personal information that constitute the PHI in combination with health data:

1. 1. 1. 1. Names of patients
         2. All geographical subdivisions smaller than a state
         3. Dates directly related to an individual, including birth date, admission date, discharge date, date of death
         4. Phone numbers
         5. Fax numbers
         6. Emails
         7. Social Security numbers
         8. Medical record numbers
         9. Health plan beneficiary numbers
         10. Account numbers
         11. Certificate/license numbers
         12. Vehicle identifiers and serial numbers, including license plate numbers
         13. Device identifiers and serial numbers
         14. Web URLs
         15. IP addresses
         16. Biometric identifiers, including finger and voiceprints, Full face photographic images and any comparable images
         17. Any other unique identifying number, characteristic, or code

   What does HIPAA compliance for health applications mean for developers?

   The technology used to protect electronic PHI and control the access to it under certain standards such as audit controls, integrity, and access controls.
   • The Audit Controls standard
   Requires a medical app developer to have the hardware, software, and/or procedural mechanisms in place that track, record, and examine activities in systems that contain or use electronic PHI. 
   • The Integrity standard
   Requires policies and procedures to protect electronic PHI from improper alteration or destruction to be used by a covered entity.
   • Access Controls standard requires:
   • a) Unique user identification system (using password or PIN, a smart card or a key, or biometric data)
   • b) emergency access procedures (for example, in case of power failure),
   • c) Automatic logoff
   • d) Data encryption and decryption at all stages.
    

   HIPAA Compliance is broken into four Rules which govern four major points of the compliance:

    
   • Access:
   Only the people who need to have access to private health care data should be granted access. This includes health care service industry employees and hosting business employees. Anyone who may come in contact with PHI should be scrutinized for need and granted accesses appropriately. If a specific team or individual doesn’t need access to PHI, they should not have it.
   • Handling:
   No one outside controlled members of the organization should be able to see PHI. While the data is at rest, it should be encrypted. Backups of the data should be encrypted, the means of access and transmission should be encrypted, and the physical security of your machines needs to be maintained and controlled at all times. Logs need to be diligently kept for every time PHI is accessed, changed, updated, or moved. Lastly, once you’re done with the data, be it account termination or a migration, any physical copies of the data (i.e., hard drives) need to be appropriately disposed of to ensure complete data integrity.
   • Notification:
   The HIPAA Breach Notification rule sets standards for how PHI data breaches must be handled should the unthinkable happen. In general, a breach is defined as any uncontrolled access to unencrypted PHI. Breaches are further broken into two types, Minor breaches, which affect fewer than 500 individuals, and Meaningful breaches, which affect greater than 500 individuals. Breaches do not necessarily equal violations. A violation is when a breach comes as a result of a poorly defined, partially implemented, loosely maintained, or generally incomplete compliance process; or as a result of direct violation of properly implemented processes and procedures.
   • Reach:
   It’s possible to maintain HIPAA compliance even when parts of your processes are outsourced to other companies. Just make sure the other company is also HIPAA compliant, and you have executed a BAA before allowing access to PHI.

   Database Hosting:

   There are two primary ways of database hosting, dedicated database hosting and tandem database hosting. Whether you use a dedicated database server or a database service running on a web server, if PHI will be stored there, the entire server is required to follow all compliance guidelines. These guidelines fall into four categories:
   • Data handling:
   Data Handling refers to data that is ready to be accessed, data that is being accessed, and data that’s moving so it can be accessed once received. And these processes are governed by one concept: encryption According to the HIPAA Security rule, no one should simply be able to see PHI. That means data should be encrypted while at rest or in transit.
   • Backups:
   Database backups are paramount to a company’s survival, and the governing bodies understand this, which is why HIPAA compliance has stipulations specifically for maintaining backups. Not having backups is a direct violation of HIPAA compliance. Further, those backups must follow the encryption policies for data handling. They must be encrypted, accessed only via encrypted means, and maintain encryption in transit. Backups Also Require Testing.
   • Physical Safeguards:
   According to the Security Rule, physical access must be controlled and logged. Luckily, as per the Omnibus rule, a third-party can handle almost any aspect of your compliance, so long as they’re HIPAA compliant and there’s a BAA executed. This includes physical access!
   • Logging:
   As part of the HIPAA compliance audit process, a compliance officer will require documentation showcasing all of the above points are followed. This means all access to your databases needs to be logged, and those logs need to be maintained

   Minimum list of required features for HIPAA compliant software:

   1. 1. Access control
      2. Person or entity authentication
      3. Transmission security
      4. Encryption/decryption
      5. PHI disposal
      6. Data backup and storage
      7. Audit controls
      8. Automatic logoff
      9. Mobile app extra-security
   Above listed points are minimum required features for HIPPA compliance and they alone won't guarantee it's security. But having these features should convince an auditor that you’ve done enough to protect your client data.