It seems like everybody knows that following HIPAA compliance software requirements is crucial for all covered entities (organizations regulated by HIPAA legislation). However, Anthem, the largest insurance market player in the US, learned it the hard way. They had to pay $115 million for settlement and invest $260 million more into upgrading their cybersecurity infrastructure.
All this happened after a seemingly simple phishing email resulted in the biggest PHI data breach in US history, with nearly 80 million health data records compromised.
You’d definitely want to avoid such an outcome if you’re a business that needs to be HIPAA compliant (if you store, process, or transmit patients’ Personal Health Information). And the only way to achieve this is by meeting data security requirements when designing and building your HIPAA compliant software. You’d also definitely want to get all the requirements straight and avoid non-compliance fines, which can amount to up to $50,000 per case.
Read on to learn the basics of HIPAA compliant software development, the best practices to use when developing a HIPAA compliant app, and the steps you can take to check every box in the HIPAA compliance software checklist.
Let’s take it from the top.
What does HIPAA compliant software mean?
Based on the definition from CDC (Centers for Disease Control and Prevention):
“HIPAA, or Health Insurance Portability and Accountability Act of 1996 introduced strict standards and requirements for healthcare providers regarding handling patients’ Personal Health Information or PHI. Mainly, PHI cannot be disclosed without the patient’s express consent or knowledge.”
The HIPAA Privacy Rule introduced by the US Department of Health and Human Services helped implement these requirements, and the Security Rule lists the HIPAA compliance software requirements for protecting the PHI. These standards cover quite a wide range of business activities and software products, like EHR or Electronic Health Record systems or medical billing software.
Software types that require HIPAA compliance
Basically, any type of software that handles PHI must comply with HIPAA. This even includes healthcare clearinghouses, which simply process insurance claims before routing them to appropriate providers.
This way, if you develop billing software, software for hospital staff, telemedicine & remote access software, laboratory and practice CRM software, or even backup & database software dealing with data transfer and exchange of PHI, your products should be HIPAA compliant.
Failure to comply with the requirements will result in fines of varying severity, based on the violation conditions:
Violation degree | Violation fine |
---|---|
The covered entity was unaware of the violation/data security breach and couldn’t have known of it. | $100-$50,000 (not applied if resolved within 30 days) |
The covered entity knew of the violation, but the breach happened due to a reasonable cause | $1,000 - $50,000 (not applied if resolved within 30 days) |
Wilful and conscious neglect of HIPAA standards | $10,000 - $50,000 (even if resolved in under 30 days) |
Wilful and conscious neglect of HIPAA standards (not resolved in under 30 days) | $50,000 |
As you can see, the lump sum of fines can rack up rapidly if there are multiple violations that aren’t resolved quickly enough. So make sure the healthcare software you’re developing meets all compliance requirements.
HIPAA compliance software requirements
Let’s get straight to business. Here are the five major aspects of HIPAA compliance you must meet to avoid violation fees:
Privacy Rule
Enacted in 2003, the HIPAA Privacy Rule applies to all business entities associated with the healthcare industry. It dictates the limits to PHI collection, along with the conditions of storage and disclosure. Under this law, the patient has full right to request copying, updating, or deleting their PHI stored with any healthcare provider. Such a request should be granted within 30 days after receiving it.
Covered entities should devote all applicable effort to maintain the integrity and security of PHI stored with them. And they should train their staff to follow the HIPAA Privacy Rule requirements to the letter. If there’s a need to disclose a patient’s PHI data to any third party, a proper NPP or Notice of Privacy Practices should be obtained from the patient first.
Security Rule
This rule demands that any entity with access to PHI should ensure its security at rest or in transit. Access is interpreted as the means required to read, write, modify or transmit the PHI of any person. To ensure the access is secure, you must deploy Administrative, Technical and Physical safeguards for PHI data:
- Administrative safeguard includes strict access control, limiting the PHI exposure to the absolutely required minimum, as well as other policies and procedures you must enact to ensure your staff follow HIPAA rules. Periodical auditing from the Office of Civil Rights (OCR) is mandatory to ensure continuous compliance for your healthcare operations.
- Technical safeguard includes various software development and management best practices we will cover in more detail later.
- Physical safeguard relates to protecting the servers your software runs on. In the age of cloud-based HIPAA software development, this aspect is mostly handled by your cloud hosting provider.
Enforcement Rule
This HIPAA aspect oversees the non-compliance fees listed earlier. The lump sum of fines can not go above $1,500,000 per violation category per year, but in case of a data breach due to the willful neglect of requirements, you can also be held liable for the consequences, and the affected individuals can file Civil Court lawsuits against you.
Breach Notification Rule
This HIPAA aspect demands you to report any PHI data breach that occurs via the OCR portal and publicly acknowledge the situation. The public acknowledgment must contain the following information:
- What PHI was compromised
- Who performed the breach and to whom the data was disclosed, if identified
- Did the perpetrator just view the PHI or copy it, if identified
- List of the measures taken to mitigate the damage sustained
Such an announcement should be made no more than 60 days past the breach. In addition, the covered entity must inform every patient affected by the breach and advise them on the best course of action to take to stay out of harm (change the passwords to their accounts, etc.).
Omnibus Rule
This HIPAA aspect was introduced more recently, largely in response to the changing technological landscape, new business models appearing, and the introduction of the HITECH Act.
All third-party entities like subcontractors doing business with a healthcare organization and having potential access to PHI are now identified as Business Associates and have to enforce the same degree of PHI safeguard as they are held equally liable for potential violations of Privacy, Security, Enforcement and Breach Notification Rules.
The five main changes coming under the Omnibus rule are:
- Introduction of updates and amendments required by the HITECH Act
- Introduction of multi-tiered money penalties for HIPAA violations in accordance with the HITECH Act requirements
- Adjustment of the harm threshold and addition of the final rule for disclosure of unsecured ePHI according to the updates under the HITECH Act
- HIPAA modification to reflect the requirements of the Genetic Information Nondisclosure Act (GINA) to prevent disclosing genetic information
- Prohibition to use personal genetic identifiers and PHI for marketing goals
Phew! That was quite a slog to wade through, but this shows you the seriousness of HIPAA compliance and the consequences of violating these demands. Now, how can you follow the standards and implement them while developing software? Let’s take a look at the HIPAA compliance software checklist.
HIPAA compliance checklist for software development
Fortunately, these rules were made to be followed, not broken, and there are many approaches you can follow to ensure you’re developing a HIPAA compliant app.
Role-based admin access control
Only a single admin role can exist in a HIPAA compliant app and grant access to other users. All the rights and permissions should be assigned during the first authorization according to the Role-Based Access Control model or RBAC. This provides OCR audit transparency and logging consistency and is the indisputable cornerstone of HIPAA compliance.
Secure user authorization
User authorization should require proper authentication with login and password verification. The personnel using the software should undergo extensive training in following HIPAA policies.
Authorization monitoring
Combining RBAC with authorization levels allows you to make sure every system role gets access only to the minimal information required to do their job. This way, a doctor knows more about the patient than a receptionist, and so on.
Data storage and backups
The best way to minimize the possibility of losing sensitive data is to simply not store it. Collect and process only the data actually needed to deliver the healthcare services. While the home address can be necessary for billing purposes, the date of birth is not.
Don’t make backups of non-critical sensitive data to minimize the risk of them being compromised. At the same time, key sensitive PHI and business-critical data (and its backups) should be stored only on encrypted cloud environments or on the servers that meet HIPAA encryption standards.
Breach remediation plan
This procedure should become a result of the very first self-audit performed by the organization using your custom HIPAA compliant software. It should outline the actions required to detect the data breach, assess its scope, close the breach and mitigate the consequences. Integrate this plan while designing and developing a HIPAA compliant app, so your customers can check their breach remediation procedures, update and adjust them as needed.
Emergency override
Sometimes, a life-threatening situation might demand a healthcare professional to access all the available PHI, regardless of their authorization level. Such an emergency override must be implemented, but each case of its use should require proper post-action validation.
Automated log-out
To prevent potential data leaks and PHI disclosure from unattended user sessions, implement automated log-out after a specific period of inactivity. Forcing a user to re-login after a coffee break is much simpler than paying millions in lawsuit settlements.
Data encryption
As the HIPAA definition directly demands, all the PHI you have access to should be encrypted at rest and in transit to minimize the risk of exposure. Ensure your network connection requires strong TLS certificates, and no sensitive details are ever stored in plain text in your databases.
This list is non-exhaustive, as the particular nuances of HIPAA software development rely on your business domain and product niche. However, offering secure user authentication, data processing and storage are among the top priorities. Speaking of which, a database is a critical component of every software. So let’s focus on that.
HIPAA compliant database design
As many HIPAA requirements concern data storage, processing, and data transfer, the database your product uses must also be fully compliant. Here’s what this means:
- Continuous data encryption. All the health data your application will process must be encrypted at all times — at rest in the file system, in transit between application and database layers, or between database components/instances.
- Appropriate management of encryption keys. This covers encryption keys, HMAC keys, and initialization vectors.
- Secret data stores. If possible, infrastructure subsystems involved in storing your encrypted health data should provide no access or knowledge regarding the nature of the information stored.
- Unique IDs for every user. As per HIPAA requirements, every user in your database should be assigned a unique ID, and sharing credentials is strictly prohibited.
- Secure authentication. The database should support secure user authentication.
- Authorization. PHI access should occur only under different (and properly configured) roles, with appropriate access rights and permissions.
- Logs audit. All user activity, including logins, data reads, writes, and edits, must be logged in a standalone infrastructure and stored for up to six years to enable independent HIPAA compliance audits.
- Database backups. The backup process must be appropriately configured so the data is regularly backed up, tested for integrity, encrypted, and securely stored. Keep in mind, if all your data is securely encrypted, you should NOT report a data breach or compromise possibility under the current edition of the HIPAA Breach Reporting Rule.
- Infrastructure compliance. Databases should reside within the boundaries of the HIPAA compliant dedicated or cloud infrastructure.
- Support. The staff providing technical support for PHI-related database issues should be well-trained in HIPAA compliance policies and requirements.
- Automated updates. Your database infrastructure should support “hot updates” without database reboot and a possibility to lose data while also ensuring security due to running the latest stable software versions.
- PHI disposal. Once the health data is no longer needed, it must be disposed of according to the newest NIST recommendations and best practices.
- Business associates. According to the latest HIPAA/HITECH edition, all parties who will use this database to handle PHI must sign contractual agreements before this database, and any PHI within it is available to them.
As you can see, these requirements make perfect sense and should definitely be implemented when you’re developing software. But what if your software has already been developed?
How to make your existing software HIPAA compliant
The correct answer to this question is: by making your organization HIPAA compliant as a whole. Here is the six-step process for achieving this:
- All HIPAA-covered entities must perform regular self-audits according to a specific checklist to provide an in-depth analysis of the current compliance landscape, possible risks, and improvements. The software you (plan) to use must provide the possibility to generate and manage said reports.
- Once you have the analysis of compliance vulnerabilities in place, you should prepare a Redemption Plan to correct these flaws. This might require the replacement of some systems or custom modifications to others to ensure PHI data security. Your software must allow creating and monitoring the progress of such plans based on the results of the self-audit reports.
- Appoint a HIPAA Compliance Officer. No software can help if people fail to follow HIPAA policies. Training your personnel is key to ensuring compliance, and the software should support the process of overseeing such training for every user role.
- Implement secure document storage and management so your staff is ready and able to access any information during an unexpected audit. Training your staff in secure document management routines is a good business practice in any case.
- Form Business Associates Agreements with all your partners who can have access to patients’ PHI. HIPAA custom software development should allow your customers to easily prepare, adjust and sign such BAAs when needed.
- Implement incident management features. Your software should provide a built-in incident reporting and tracking system to deliver a clear view of your daily HIPAA compliance issues. Automated breach alerting, ticket creation, and OCR notifications can help avoid unwanted fines.
While all of this sounds logical enough, updating the hospital management software you use or developing a HIPAA compliant app from scratch can be a tough call without relevant expertise. This is why the best way to stay on the safe side is to hire HIPAA compliant software developers.
Hiring HIPAA compliant software developers to improve Time To Market
If you want your custom HIPAA compliant software development to run smoothly, it’s best to consult a reputed healthcare software development company. This way, you will get instant access to the experts who will have ready solutions for the challenges you might face, saving you lots of time and money in the long run. If that doesn’t improve your time to market, we don’t know what will.
How do you choose a company like that? The best way would be to look for relevant expertise, good customer feedback, independent reviews on various rating platforms, a portfolio of successful projects… and simply talk to the team to see if they can understand your needs.
Acropolium experience
Acropolium has more than 11 years of expertise in healthcare software development. Over this time span, we delivered 32 enterprise-grade solutions and completed 68 consulting projects. We take pride in supporting many of our projects for 7+ years on average. If you’d like to see us in action, read our case studies on SaaS development of a biotech enterprise-grade RDM and quality control platform or HIPAA compliant medical app development. And we’d love to give you more detail on how our team delivers HIPAA compliant software the right way!
Summing it up
HIPAA compliance is the cornerstone of successful and secure business operations in the healthcare industry. Failure to comply can result in huge fines, lawsuits, and reputational losses. This is why ensuring HIPAA compliance should be one of the main priorities when you’re building custom medical apps.
Acropolium provides HIPAA compliant software development for startups, enterprises, and software vendors alike. So if you need to bridge the skill gap and shorten the time to market of your future software products, don’t hesitate to get in touch.