![\"\"](\"https:\/\/epicomm.net\/web\/blog\/wp-content\/uploads\/2021\/06\/hippa.jpg\")
<\/p>\n<\/p>\n
<\/strong><\/ol>\n<\/ul>\n
<\/p>\n <\/strong><\/p>\n The technology used to protect electronic PHI and control the access to it under certain standards such as audit controls, integrity, and access controls.<\/p>\n <\/strong> <\/p>\n <\/strong><\/p>\n There are two primary ways of database hosting, dedicated database hosting and tandem database hosting. <\/p>\n <\/strong><\/p>\n Above listed points are minimum required features for HIPPA compliance and they alone won’t guarantee it’s security. Nowadays making your healthcare App HIPPA compliant has become most important thing to protect patient’s health information. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to … Continue reading “Making Your App HIPPA Compliant”<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-134","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/posts\/134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/comments?post=134"}],"version-history":[{"count":71,"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/posts\/134\/revisions"}],"predecessor-version":[{"id":258,"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/posts\/134\/revisions\/258"}],"wp:attachment":[{"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/media?parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/categories?post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epicomm.net\/web\/blog\/wp-json\/wp\/v2\/tags?post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What does HIPAA compliance for health applications mean for developers?<\/h3>\n
\n
\n
Requires a medical app developer to have the hardware, software, and\/or procedural mechanisms in place that track, record, and examine activities in systems that contain or use electronic PHI.\u00a0<\/b><\/ul>\n<\/li>\n
\n
Requires policies and procedures to protect electronic PHI from improper alteration or destruction to be used by a covered entity.<\/ul>\n<\/li>\n
\n
\n
\n
\n
\n
\n
\n<\/p>\nHIPAA Compliance is broken into four Rules which govern four major points of the compliance:<\/h3>\n
\n <\/p>\n\n
\n
Only the people who need to have access to private health care data should be granted access.
\nThis includes health care service industry employees and hosting business employees. Anyone who may come in contact with PHI should be scrutinized for need and granted accesses appropriately. If a specific team or individual doesn\u2019t need access to PHI, they should not have it.<\/ul>\n<\/li>\n\n
No one outside controlled members of the organization should be able to see PHI. While the data is at rest, it should be encrypted. Backups of the data should be encrypted, the means of access and transmission should be encrypted, and the physical security of your machines needs to be maintained and controlled at all times. Logs need to be diligently kept for every time PHI is accessed, changed, updated, or moved. Lastly, once you\u2019re done with the data, be it account termination or a migration, any physical copies of the data (i.e., hard drives) need to be appropriately disposed of to ensure complete data integrity.<\/ul>\n<\/li>\n
\n
The HIPAA Breach Notification rule sets standards for how PHI data breaches must be handled should the unthinkable happen. In general, a breach is defined as any uncontrolled access to unencrypted PHI.
\nBreaches are further broken into two types, Minor breaches, which affect fewer than 500 individuals, and Meaningful breaches, which affect greater than 500 individuals.
\nBreaches do not necessarily equal violations. A violation is when a breach comes as a result of a poorly defined, partially implemented, loosely maintained, or generally incomplete compliance process; or as a result of direct violation of properly implemented processes and procedures.<\/ul>\n<\/li>\n\n
It\u2019s possible to maintain HIPAA compliance even when parts of your processes are outsourced to other companies.
\nJust make sure the other company is also HIPAA compliant, and you have executed a BAA before allowing access to PHI.<\/ul>\n<\/li>\n<\/ol>\nDatabase Hosting:<\/h3>\n
\nWhether you use a dedicated database server or a database service running on a web server, if PHI will be stored there, the entire server is required to follow all compliance guidelines. These guidelines fall into four categories:<\/p>\n\n
\n
Data Handling refers to data that is ready to be accessed, data that is being accessed, and data that\u2019s moving so it can be accessed once received. And these processes are governed by one concept: encryption
\nAccording to the HIPAA Security rule, no one should simply be able to see PHI. That means data should be encrypted while at rest or in transit.<\/ul>\n<\/li>\n\n
Database backups are paramount to a company\u2019s survival, and the governing bodies understand this, which is why HIPAA compliance has stipulations specifically for maintaining backups.
\nNot having backups is a direct violation of HIPAA compliance.
\nFurther, those backups must follow the encryption policies for data handling. They must be encrypted, accessed only via encrypted means, and maintain encryption in transit.
\nBackups Also Require Testing.<\/ul>\n<\/li>\n\n
According to the Security Rule, physical access must be controlled and logged.
\nLuckily, as per the Omnibus rule, a third-party can handle almost any aspect of your compliance, so long as they\u2019re HIPAA compliant and there\u2019s a BAA executed. This includes physical access!<\/ul>\n<\/li>\n\n
As part of the HIPAA compliance audit process, a compliance officer will require documentation showcasing all of the above points are followed. This means all access to your databases needs to be logged, and those logs need to be maintained<\/ul>\n<\/li>\n<\/ol>\n
Minimum list of required features for HIPAA compliant software:<\/h3>\n
\n
\n
\nBut having these features should convince an auditor that you\u2019ve done enough to protect your client data.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"