Who We Help
Case Studies
About Us
Insights
About
Pricing
Feature [CMS]
Feature Details [CMS]
Integration
Team
Blog [CMS]
Blog Details [CMS]
Contact v1
Contact v2
FAQ
Privacy
Terms
404
Who We Help
Case Studies
About Us
Insights
About
Pricing
Feature [CMS]
Feature Details [CMS]
Integration
Team
Blog [CMS]
Blog Details [CMS]
Contact v1
Contact v2
FAQ
Privacy
Terms
404
15 Tips for Successful HIPAA Compliant Software Projects
15 Tips for Successful HIPAA Compliant Software Projects
15 Tips for Successful HIPAA Compliant Software Projects
Leading a complex custom software development project for a healthcare organization is already tough. But on top of that, you must be aware of the Health Insurance Portability and Accountability Act (HIPAA). This U.S. law was enacted in 1996 and it sets strict standards for protecting patient health information (PHI) or electronic protected health information (ePHI).
As a healthcare IT leader, you're already aware of HIPAA and the need to be compliant. But what does that mean for your software development projects? In this article we'll discuss:
What is HIPAA and why do healthcare providers need to be compliant?
You need a BAA in place to be compliant with HIPAA Security Rule
Is HIPAA Compliance just a checkbox?
What is required to develop HIPAA-compliant Software?
HIPAA Compliance Software Requirements
What are the implications of HIPAA Compliant Software Development?
Deploying a custom software project on a HIPAA-compliant environment
1 - What is HIPAA and why do healthcare providers need to be compliant?
As mentioned above HIPAA is a patient privacy law with the goal to protect electronic protected health information (ePHI). PHI includes any information about a person's health that can be used to identify them. This includes things like their name, address, birth date, Social Security number, and medical records.
HIPAA compliance is mandatory for any organization that deals with PHI. This includes healthcare providers, health insurers, and any company that provides support services to the healthcare industry. Failure to comply with HIPAA can result in heavy fines from the U.S. Department of Health and Human Services (HHS).
The fines range from $100 to $50,000 per violation, with a maximum of $1.8 million per year for the same HIPAA violation.
So, as you can tell it's critically important to make sure your project ensures a HIPAA-compliant software result.
2 - You need a BAA in place to be compliant with HIPAA Security Rule
Before we dive into details, the first thing you need to know is you need a "BAA" in place. A BAA is a Business Associate Agreement. This is a contract between you (the HIPAA-covered entity) and any company that will have access to PHI.
The BAA must outline the duties of each party, how PHI will be used, and what measures will be taken to protect it. The BAA must also stipulate that the company will not use or disclose PHI for any purpose other than providing services to the covered entity.
You can read more about BAAs and being HIPAA compliant here.
But it is critical that if you bring a 3rd party software development organization, you hired internal software developers or whomever you are picking as an infrastructure as a service provider that you have BAA in place.
In general, a BAA's and HIPAA security rule guidelines to avoid data breaches:
PHI must be stored securely
PHI must be transmitted securely
PHI must be accessed only by authorized personnel
PHI must be destroyed when no longer needed
PHI must be monitored for unauthorized access
Policies and procedures must be in place to ensure HIPAA compliance
HIPAA compliance must be monitored on an ongoing basis
Employees must be trained in HIPAA compliance
Have a remediation plan in place
3 - Is HIPAA Compliance just a checkbox?
OK, this is a tricky one. Compliance is not a binary state, it's more of a spectrum. There are different levels of compliance and it's up to you as the healthcare IT leader to decide what level is appropriate for your organization.
That's why it's important to explore the nuance of these topics with your software development and compliance teams before making decisions.
The short answer is "Yes", with proper security safeguards in place, the software can be HIPAA compliant. But it's more of a question of whether are we being willfully negligent or not. Your objective is to be as compliant as possible in the event of data breaches, and have a remediation plan in place.
4 - What is required to develop HIPAA-compliant software?
There are four main requirements healthcare providers need to take into consideration when developing HIPAA-compliant software:
The software must protect the confidentiality, integrity, and availability of PHI
The software must be implemented with security measures appropriate to the risk level
The software must be monitored on an ongoing basis
Employees must be trained on HIPAA compliance and have a remediation plan in place.
The first two requirements are known as the "security rule" and the second two requirements are known as the "privacy rule."
Let's take a closer look at each of these requirements.
But before we do, let's go through the process to get there.
5 - HIPAA Compliance Software Requirements
To begin with, not all healthcare systems and applications need to adhere to HIPAA requirements.
Which healthcare solutions don’t need to be HIPAA compliant?
Health and fitness apps
Wellness tracking
General health information websites
Personal health journals
Productivity or lifestyle apps with no health data
These are a few examples of healthcare applications that don’t need to be HIPAA-compliant. Now, there may be some cases where these excluded services could become covered entities.
For example, if an employer requires its employees to use a fitness app to track their physical activity, the app would need to be HIPAA Compliant.
Let's dig a little deeper into what PHI is, these are the 18 elements that constitute PHI:
What is PHI?
PHI stands for Protected Health Information. It is any information related to a person's health that can be used to identify them. This includes things like their name, address, date of birth, medical records, and more.
The HIPAA Privacy Rule defines 18 elements of PHI:
Name
Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
Telephone numbers
Fax number
Email address
Social Security Number
Medical record number
Health plan beneficiary number
Account number
Certificate or license number
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web URL
Internet Protocol (IP) Address
Finger or voice print
Photographic image - Photographic images are not limited to images of the face.
Any other characteristic that could uniquely identify the individual
These are just a few of the critical components that must be considered when developing software that will be handling PHI and be HIPAA compliant.
Now that we understand what is required let's take a look at how to get there.
6 - What are the implications of HIPAA Compliant Software Development?
When we talk about the implications of a software development project we must get into the phases of the project. We need to think of the most common stages where we need to make decisions that might impact our HIPAA compliance.
7 - Identifying the business need
A natural first step when embarking on a software development project is to identify what the business need is, in the HIPAA case, determine if any patient information is required.
Protected Health Information (PHI) includes name, address, birth date, Social Security number, and medical records.
If the project will not require any patient information, then you can move on to the next stage. However, if patient information is required, then you must take steps to ensure that the information is protected in accordance with HIPAA regulations.
8 - Project scoping and requirements gathering
The next stage is to scope out the project and gather requirements. This is where you will need to work closely with the business stakeholders to determine what patient information is required and how it will be used. You will also need to determine what security measures will be put in place to protect the information.
For example, if the project requires the development of a web-based application that will be used to input and store patient information, then you will need to ensure that the application is secure, and ensuring data security. This means ensuring that only authorized users can access the application and that data encryption is used on transmission as a basic precaution against data breaches.
It's also important that you don't make assumptions about what is required. Make sure that you ask the business stakeholders questions and get clarification on any requirements that are not clear, because if you make assumptions and get it wrong, then you could be held liable for any resulting HIPAA violations.
9 - Designing the architecture
The next stage is to design and architect the solution. During this stage, you'll describe the solution's major components, their relationships, and how they interact. You'll also need to consider how the solution will be deployed and hosted. This is where you will need to take into consideration the security measures that need to be put in place to protect patient information.
For example, if you are designing a database to store patient information, you will need to ensure that the database is secure. This means ensuring that only authorized users can access the database and that the data is encrypted at rest.
You'll also have to think about the infrastructure needs of the solution. For example, if you are designing a web-based application, you will need to consider where the web server will be located and how the application will be deployed. Whether you are going with a cloud-based architecture such as AWS, or an on-premises solution, you will need to ensure that the data is stored in a secure location and that the proper security measures are in place.
10 - Development Process
Whether you are building a new project or you maintain HIPAA compliance software development initiative with internal software developers or a qualified partner (such as Gistia) you'll need to take a few things into consideration:
Each developer must be aware on their part to maintain HIPAA compliance
A security professional should review architectural plans
Consider the ways the application will be used
What data will the system be processing and storing?
Are you protecting in-transit and at-rest PHI?
What encryption protocols are being implemented?
Identify what data fields are NOT necessary (if there's no need to gather a social security number, then don't)
Develop consistency in the documentation of compliance (across the board), for different types of information
Ensure compliance with application activity logs
System testing should include security and privacy controls
Monitoring must be in place for ongoing compliance efforts
Ongoing Training
Use the appropriate certificates
Beware of sending PHI on SMS/MMS as those are unencrypted
Avoid push notifications
Access user roles
Be aware of electronic health records embedded into transactional data
11 - How to Maintain HIPAA Compliance
In order to maintain HIPAA compliance long-term IT leaders need to develop a compliance program that provides not only the technical safeguards required by HIPAA but also the policies, procedures, and training necessary to ensure that all employees are aware of their responsibilities under HIPAA.
The compliance program should include:
An inventory of all systems that contain PHI
A risk analysis of all systems that contain PHI
Policies and procedures for handling PHI
Training for all employees who have access to PHI
A process for monitoring compliance
Regular audits of systems that contain PHI
Disaster recovery plans in case of a data breach
The compliance program should be reviewed on a regular basis and updated as needed to reflect changes in the law or changes to the way the organization handles PHI.
Keeping up with HIPAA compliance can be a challenge, but it's important to remember that the goal of the law is to protect the privacy of patients. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.
12 - HIPAA Developer Checklist: HIPAA Mobile App Security
When it comes to mobile applications and HIPAA compliance, developers need to take extra care to ensure that the apps they create are secure. Here is a checklist of things to consider when creating a HIPAA-compliant mobile app:
Make sure that the app is encrypted.
Use strong authentication methods, such as two-factor authentication.
Do not store PHI on the device.
Do not send PHI over unsecured channels, such as SMS or email.
Make sure that the app has a clear security policy.
Train employees on how to use the app securely.
Monitor app usage and activity logs.
Perform regular security audits of the app.
Update the app regularly to address security vulnerabilities.
Have a plan in place for what to do in case of a data breach.
By following these tips, developers can help ensure that their mobile apps are compliant with HIPAA and protect the privacy of patients.
13 - HIPAA Rules: Privacy, Security, and Breach Notifications
The Breach Notification Rule requires covered entities to provide notification following a breach of unsecured protected health information. In general, a covered entity must provide notification to affected individuals and, in some cases, the media.
The Security Rule requires covered entities to put in place safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
The Privacy Rule establishes national standards for the protection of PHI. It gives individuals the right to access and amend their health information and sets limits on who can use and disclose PHI.
14 - Which healthcare apps should comply with HIPAA rules?
HIPAA compliance is required for any healthcare app that handles PHI. This includes apps that are used for medical appointments, prescriptions, health records, and billing. In general, any app that could be used to identify a patient or collect information about their health should be compliant with HIPAA.
15 - Deploying a custom software development project on a HIPAA-compliant software environment
The final stage is to deploy the solution. This is where you will need to consider how the solution will be deployed and hosted.
There are many HIPAA compliance options out there such as on-premises, cloud-based, or a hybrid solution. We typically recommend AWS and Azure as they have ready-to-go HIPAA-compliant software environments.
And lastly, but most importantly, AWS and Azure have BAA's in place which is a requirement when handling PHI.
Conclusion
Although HIPAA compliance may seem daunting, it is important to remember that there are many resources available to help you achieve and maintain compliance. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.
Also by following the tips in this blog post and by working with a knowledgeable HIPAA consultant, you can rest assured that your practice is fully compliant with all of the HIPAA regulations. Have you had any experience with HIPAA compliance? What tips would you add?
15 Tips for Successful HIPAA Compliant Software Projects
15 Tips for Successful HIPAA Compliant Software Projects
Leading a complex custom software development project for a healthcare organization is already tough. But on top of that, you must be aware of the Health Insurance Portability and Accountability Act (HIPAA). This U.S. law was enacted in 1996 and it sets strict standards for protecting patient health information (PHI) or electronic protected health information (ePHI).
As a healthcare IT leader, you're already aware of HIPAA and the need to be compliant. But what does that mean for your software development projects? In this article we'll discuss:
What is HIPAA and why do healthcare providers need to be compliant?
You need a BAA in place to be compliant with HIPAA Security Rule
Is HIPAA Compliance just a checkbox?
What is required to develop HIPAA-compliant Software?
HIPAA Compliance Software Requirements
What are the implications of HIPAA Compliant Software Development?
Deploying a custom software project on a HIPAA-compliant environment
1 - What is HIPAA and why do healthcare providers need to be compliant?
As mentioned above HIPAA is a patient privacy law with the goal to protect electronic protected health information (ePHI). PHI includes any information about a person's health that can be used to identify them. This includes things like their name, address, birth date, Social Security number, and medical records.
HIPAA compliance is mandatory for any organization that deals with PHI. This includes healthcare providers, health insurers, and any company that provides support services to the healthcare industry. Failure to comply with HIPAA can result in heavy fines from the U.S. Department of Health and Human Services (HHS).
The fines range from $100 to $50,000 per violation, with a maximum of $1.8 million per year for the same HIPAA violation.
So, as you can tell it's critically important to make sure your project ensures a HIPAA-compliant software result.
2 - You need a BAA in place to be compliant with HIPAA Security Rule
Before we dive into details, the first thing you need to know is you need a "BAA" in place. A BAA is a Business Associate Agreement. This is a contract between you (the HIPAA-covered entity) and any company that will have access to PHI.
The BAA must outline the duties of each party, how PHI will be used, and what measures will be taken to protect it. The BAA must also stipulate that the company will not use or disclose PHI for any purpose other than providing services to the covered entity.
You can read more about BAAs and being HIPAA compliant here.
But it is critical that if you bring a 3rd party software development organization, you hired internal software developers or whomever you are picking as an infrastructure as a service provider that you have BAA in place.
In general, a BAA's and HIPAA security rule guidelines to avoid data breaches:
PHI must be stored securely
PHI must be transmitted securely
PHI must be accessed only by authorized personnel
PHI must be destroyed when no longer needed
PHI must be monitored for unauthorized access
Policies and procedures must be in place to ensure HIPAA compliance
HIPAA compliance must be monitored on an ongoing basis
Employees must be trained in HIPAA compliance
Have a remediation plan in place
3 - Is HIPAA Compliance just a checkbox?
OK, this is a tricky one. Compliance is not a binary state, it's more of a spectrum. There are different levels of compliance and it's up to you as the healthcare IT leader to decide what level is appropriate for your organization.
That's why it's important to explore the nuance of these topics with your software development and compliance teams before making decisions.
The short answer is "Yes", with proper security safeguards in place, the software can be HIPAA compliant. But it's more of a question of whether are we being willfully negligent or not. Your objective is to be as compliant as possible in the event of data breaches, and have a remediation plan in place.
4 - What is required to develop HIPAA-compliant software?
There are four main requirements healthcare providers need to take into consideration when developing HIPAA-compliant software:
The software must protect the confidentiality, integrity, and availability of PHI
The software must be implemented with security measures appropriate to the risk level
The software must be monitored on an ongoing basis
Employees must be trained on HIPAA compliance and have a remediation plan in place.
The first two requirements are known as the "security rule" and the second two requirements are known as the "privacy rule."
Let's take a closer look at each of these requirements.
But before we do, let's go through the process to get there.
5 - HIPAA Compliance Software Requirements
To begin with, not all healthcare systems and applications need to adhere to HIPAA requirements.
Which healthcare solutions don’t need to be HIPAA compliant?
Health and fitness apps
Wellness tracking
General health information websites
Personal health journals
Productivity or lifestyle apps with no health data
These are a few examples of healthcare applications that don’t need to be HIPAA-compliant. Now, there may be some cases where these excluded services could become covered entities.
For example, if an employer requires its employees to use a fitness app to track their physical activity, the app would need to be HIPAA Compliant.
Let's dig a little deeper into what PHI is, these are the 18 elements that constitute PHI:
What is PHI?
PHI stands for Protected Health Information. It is any information related to a person's health that can be used to identify them. This includes things like their name, address, date of birth, medical records, and more.
The HIPAA Privacy Rule defines 18 elements of PHI:
Name
Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
Telephone numbers
Fax number
Email address
Social Security Number
Medical record number
Health plan beneficiary number
Account number
Certificate or license number
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web URL
Internet Protocol (IP) Address
Finger or voice print
Photographic image - Photographic images are not limited to images of the face.
Any other characteristic that could uniquely identify the individual
These are just a few of the critical components that must be considered when developing software that will be handling PHI and be HIPAA compliant.
Now that we understand what is required let's take a look at how to get there.
6 - What are the implications of HIPAA Compliant Software Development?
When we talk about the implications of a software development project we must get into the phases of the project. We need to think of the most common stages where we need to make decisions that might impact our HIPAA compliance.
7 - Identifying the business need
A natural first step when embarking on a software development project is to identify what the business need is, in the HIPAA case, determine if any patient information is required.
Protected Health Information (PHI) includes name, address, birth date, Social Security number, and medical records.
If the project will not require any patient information, then you can move on to the next stage. However, if patient information is required, then you must take steps to ensure that the information is protected in accordance with HIPAA regulations.
8 - Project scoping and requirements gathering
The next stage is to scope out the project and gather requirements. This is where you will need to work closely with the business stakeholders to determine what patient information is required and how it will be used. You will also need to determine what security measures will be put in place to protect the information.
For example, if the project requires the development of a web-based application that will be used to input and store patient information, then you will need to ensure that the application is secure, and ensuring data security. This means ensuring that only authorized users can access the application and that data encryption is used on transmission as a basic precaution against data breaches.
It's also important that you don't make assumptions about what is required. Make sure that you ask the business stakeholders questions and get clarification on any requirements that are not clear, because if you make assumptions and get it wrong, then you could be held liable for any resulting HIPAA violations.
9 - Designing the architecture
The next stage is to design and architect the solution. During this stage, you'll describe the solution's major components, their relationships, and how they interact. You'll also need to consider how the solution will be deployed and hosted. This is where you will need to take into consideration the security measures that need to be put in place to protect patient information.
For example, if you are designing a database to store patient information, you will need to ensure that the database is secure. This means ensuring that only authorized users can access the database and that the data is encrypted at rest.
You'll also have to think about the infrastructure needs of the solution. For example, if you are designing a web-based application, you will need to consider where the web server will be located and how the application will be deployed. Whether you are going with a cloud-based architecture such as AWS, or an on-premises solution, you will need to ensure that the data is stored in a secure location and that the proper security measures are in place.
10 - Development Process
Whether you are building a new project or you maintain HIPAA compliance software development initiative with internal software developers or a qualified partner (such as Gistia) you'll need to take a few things into consideration:
Each developer must be aware on their part to maintain HIPAA compliance
A security professional should review architectural plans
Consider the ways the application will be used
What data will the system be processing and storing?
Are you protecting in-transit and at-rest PHI?
What encryption protocols are being implemented?
Identify what data fields are NOT necessary (if there's no need to gather a social security number, then don't)
Develop consistency in the documentation of compliance (across the board), for different types of information
Ensure compliance with application activity logs
System testing should include security and privacy controls
Monitoring must be in place for ongoing compliance efforts
Ongoing Training
Use the appropriate certificates
Beware of sending PHI on SMS/MMS as those are unencrypted
Avoid push notifications
Access user roles
Be aware of electronic health records embedded into transactional data
11 - How to Maintain HIPAA Compliance
In order to maintain HIPAA compliance long-term IT leaders need to develop a compliance program that provides not only the technical safeguards required by HIPAA but also the policies, procedures, and training necessary to ensure that all employees are aware of their responsibilities under HIPAA.
The compliance program should include:
An inventory of all systems that contain PHI
A risk analysis of all systems that contain PHI
Policies and procedures for handling PHI
Training for all employees who have access to PHI
A process for monitoring compliance
Regular audits of systems that contain PHI
Disaster recovery plans in case of a data breach
The compliance program should be reviewed on a regular basis and updated as needed to reflect changes in the law or changes to the way the organization handles PHI.
Keeping up with HIPAA compliance can be a challenge, but it's important to remember that the goal of the law is to protect the privacy of patients. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.
12 - HIPAA Developer Checklist: HIPAA Mobile App Security
When it comes to mobile applications and HIPAA compliance, developers need to take extra care to ensure that the apps they create are secure. Here is a checklist of things to consider when creating a HIPAA-compliant mobile app:
Make sure that the app is encrypted.
Use strong authentication methods, such as two-factor authentication.
Do not store PHI on the device.
Do not send PHI over unsecured channels, such as SMS or email.
Make sure that the app has a clear security policy.
Train employees on how to use the app securely.
Monitor app usage and activity logs.
Perform regular security audits of the app.
Update the app regularly to address security vulnerabilities.
Have a plan in place for what to do in case of a data breach.
By following these tips, developers can help ensure that their mobile apps are compliant with HIPAA and protect the privacy of patients.
13 - HIPAA Rules: Privacy, Security, and Breach Notifications
The Breach Notification Rule requires covered entities to provide notification following a breach of unsecured protected health information. In general, a covered entity must provide notification to affected individuals and, in some cases, the media.
The Security Rule requires covered entities to put in place safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
The Privacy Rule establishes national standards for the protection of PHI. It gives individuals the right to access and amend their health information and sets limits on who can use and disclose PHI.
14 - Which healthcare apps should comply with HIPAA rules?
HIPAA compliance is required for any healthcare app that handles PHI. This includes apps that are used for medical appointments, prescriptions, health records, and billing. In general, any app that could be used to identify a patient or collect information about their health should be compliant with HIPAA.
15 - Deploying a custom software development project on a HIPAA-compliant software environment
The final stage is to deploy the solution. This is where you will need to consider how the solution will be deployed and hosted.
There are many HIPAA compliance options out there such as on-premises, cloud-based, or a hybrid solution. We typically recommend AWS and Azure as they have ready-to-go HIPAA-compliant software environments.
And lastly, but most importantly, AWS and Azure have BAA's in place which is a requirement when handling PHI.
Conclusion
Although HIPAA compliance may seem daunting, it is important to remember that there are many resources available to help you achieve and maintain compliance. By taking the time to develop a comprehensive compliance program, you can ensure that your organization is doing everything possible to protect the PHI in your care.
Also by following the tips in this blog post and by working with a knowledgeable HIPAA consultant, you can rest assured that your practice is fully compliant with all of the HIPAA regulations. Have you had any experience with HIPAA compliance? What tips would you add?