Healthcare startups and software companies wanting to enter the healthcare industry have to remember about HIPAA compliance regulations, especially if the application is targeted for users of the USA. HIPAA rules are enforced by law and those companies that fail to comply with requirements for security and privacy of data can be fined with tremendous penalties. Fortunately, there is plenty of open source information, training, webinars and guides from Compliancy Group, the Department of Health and Human Services that govern the regulations globally.
Electronic medical records are targeted more often by hackers than credit cards and banking systems. Hackers’ malicious actions are usually very planned, intentional, and "jewelry" work. In an attempt to steal ePHI they use a combination of technical and social engineering methods, managing to crack systems within hours and user-generated passwords within minutes. Why do hackers deliberately hunt for medical records?
Electronic protected health information is deeply personal, confidential, unique and often can not be restored. It is used for lucrative hacker schemes, blackmailing, and demanding ransoms. Hackers can obtain loans, get free medical insurance, and request treatment or drugs on behalf of patients, using their stolen identities. Fraudsters can receive refunding for treatment that has never been provided, make protected health information public, cause information wars, and serve as spies causing international political issues. Medical systems that are less protected than banking systems can also contain payment card information, one more tidbit for crackers.
Acronym for HIPAA is the Health Insurance Portability and Accountability Act that governs two critical branches — the HIPAA Privacy and Security Rules for use and disclosure of Protected Health Information or just PHI. The information consisting of pictures of scanned organs, medical voice records, analysis tests, diagnoses, addresses, geolocation of patients is defined as one that should be thoroughly protected not to allow fraudulent actions and unpredictable consequences of disclosing data to the public.
HIPAA rules were originally enacted in 1996 in the USA and signed under the key objective to protect waste, fraud, and abuse of protected health information, at the same time modernizing healthcare services. Interestingly, the evolution of electronic records started in 1972, when the first electronic medical system was developed. Although being very expensive, such systems offered vast opportunities for governments and hospitals. In the 1990s with the emergence of the Internet, more affordable prices for the first PCs, popularity and demand for healthcare systems increased, though they certainly were much more simple than today's. So, dynamic and growing technologies in Healthcare caused a need for creating a plan (which is HIPAA itself) on how to moderate risks connected with personal health information.
The Act defines a category of Covered entities and Business Associates that must apply to the standards. Business Associates can be law office, software company or IT consultant, accounting services and companies that build hardware medical devices, who cooperate with healthcare providers and have direct access to ePHI. These are also companies that provide data storage solutions and all their subcontractors.
Covered entities include healthcare providers which are doctors, dentists, clinics, pharmacies, nursing homes and more on the list if they have access to electronic medical data. The second category are Health Plans which are health insurance companies, government medical programs or health maintenance organization (HMO). The last category include healthcare clearing houses.
HIPAA requirements for software providers take effect if a software company deals with a solution that reveals, collects, and processes personal identifiers of patients. To understand what is PHI exactly there are 18 defined features of PHI. If any application uses at least one of the indicated features, it automatically should apply to HIPAA requirements.
Usually developing healthcare applications is executed on behalf of a covered entity that provides services in accordance with HIPAA and knows in what way to cooperate with developers to make the solution fully compliant. In general, software engineers have to help eliminate the risks associated with privacy and security of electronic protected health information, ensuring appropriate transmitting, messaging and data storage solutions.
The example of experience we had in the Healthcare industry was a cooperation with an Israel emotion-recognition startup Beyond Verbal. For the application collecting and analyzing patients' voice records, building an elaborate business logic was a key to success. The developing process was based on their sharing of practical knowledge of HIPAA rules with us and our technical expertise on how to implement it properly, on time and in a cost-effective manner.
However, how and when software companies should regard the HIPAA compliance software checklist is circumstance-framed. Ambiguity around HIPAA requirements puts a lot of companies in a deadlock. That’s why there was an initiative to discuss cases when software developers, especially those who independently create healthcare solutions, can ask their questions and clarify with experts obscure situations to avoid penalties. Practical use cases and the possibility to discuss your scenario are displayed on the page Healthcare app developers, what are your questions.
When your application becomes HIPAA compliant and when it does not? When do you become a BA (Business Associate) of a medical provider and when not?
Imagine 100 patients install your mobile application and input the information regarding their emotions, diet balance and the number of heartbeats, and more. The application was made at the request of some clinic, indeed your client. Additionally, they decided to connect the application with local EHR system and all the data would automatically be transferred and incorporated in the EHR. As a result, patients receive consultations from specialists and use messaging tools to share files and communicate with doctors. You would have to implement cloud solutions, ensure secure authentication and configuration of the system having direct access to ePHI. In such a case, you as a healthcare developer become a business partner of a medical provider. By signing a contract with your covered entity, you are responsible for creating all conditions of safe sharing, processing, and storing the ePHI. To understand when you're responsible for ePHI and when you are not depending on how your healthcare application is used you can look at the App Use Scenarios and the HIPAA.
The development and usage of devices and applications that contain ePHI should comply with physical, technical, and administrative safeguards. From the side of software development companies, applications for medical institutions should thoroughly cover HIPAA compliance and be checked through the HIPAA compliance check list 2019-2020. Summarizing the checklist items, the solution containing ePHI should:
Privacy rules mean that patients have the right to examine and watch their information on the condition that access to data is authorized. From 2013, the HIPAA privacy rule applies to business associates of covered entities. From the side of business structures, it is important to provide all necessary tools and possibilities to maintain the integrity of ePHI, to create procedures of how it would be tracked if any alterations happen. The Privacy rule that can be found at the website of Health Information Privacy also means that patients have to receive electronic copies of their personal health information by request within 30 days.
The Security Rules govern how ePHI should be appropriately used, kept, and transmitted and what are the ways to ensure the protection, confidentiality, and security of data. Because reasons for violations of the security can be different, special safeguards are serving as guides to understanding all levels of security management process:
While HIPAA Privacy rules refer to PHI integrity and correct on-time disclosure to legal patients, the HIPAA Security Rule - to the protection of electronic PHI that is stored and transmitted by digital devices and across networks. Besides, you’ll meet Addressable safeguards that presuppose a certain amount of flexibility for covered entities and business associates who can develop alternative ways to cover the safeguard rules on condition each and every alternative is properly documented.
Physical safeguards focus on controlling physical access to data, monitoring location, and devices. Workplaces have some restrictions in use and have to guarantee the safe surroundings of devices on which sensitive data is kept. Physical and technical safeguards regulate the use of ePHI on hardware and software and if any device is moved, it should be inventoried and data should be copied.
Covered entities must notify the Department of Health and Human Services of breaches that affect protected health information of more than 500 people. As an example, cases of breaches of Australian databases were immediately disclosed to the media, and the necessary procedure was conducted to inform each patient of the emergency. Among people whose information was stolen were officials and people holding government positions. Clearly, presenting such a notification needs evaluating the system by software engineers and their help to understand how and when unauthorized access happened, whether data was acquired or viewed, and what risk mitigation measures were.
The rule amends and updates regulations, establishing a better understanding of terms Business Associates, Workforce, and Covered entities. According to the Omnibus Rule, covered entities have to sign contracts before the cooperation with BA. If you are sharing PHI with a covered entity, then as a developer you are required to sign a Business Associate Agreement that validates permissible uses of PHI. In all other cases, when you don’t have access to ePHI, you are not BA. Old signed agreements are to be renewed. Updated Privacy Policies, fundraising, research, and marketing of ePHI as well as training staff can be done according to Omnibus regulations.
The rule governs the penalties imposed for responsible sides who failed to comply with HIPAA regulations and dictates procedures for the investigation of the breaches. The number of records at risk, category, level of ignorance is measured for defining penalties. The maximum fine can reach 1.5 million dollars, while the minimum one, which is a violation based on ignorance of the responsible side, starts at 100$. By HIPAA journal, the most common violations are the next:
Returning to the Security Rule, in terms of its technical safeguard software developers together with healthcare institutions should develop perfect business logic for the software so that it complies with regulations. Technical safeguards presuppose that electronic data that travels across servers and networks, should be protected and access authorized. This safeguard can be carried out on condition ePHI is encrypted according to NIST standards.
HIPAA Password requirements are addressable safeguards. It means they should be necessarily implemented, but there are alternatives allowed only if all of them are documented. That’s how HIPAA states the definition “implement one or more alternative security measures to accomplish the same purpose.” Recommendations on passwords:
The HIPAA requirements also demand to establish policies to control and govern data disclosure in emergencies.
It is essential to know by whom data was altered, as well as to track the geolocation of employees. In terms of access management, the effective way to implement it is monitoring log-on activities and restricting access when employees change job positions. Users are often provided with the possibility for VPN (Virtual Private Network) connection and automatic downloads are not allowed.
Downloadable HIPAA compliance checklist puts 6 required annual Audits as the first question to understand whether your organization is HIPAA compliant. Audit Controls in terms of network management helps to monitor user access on a network and provide administrators with notifications if suspicious activity occurs. Audit controls help to register each and every attempt to access the patient data and quickly detect inside breaches.
Remember to facilitate automatic log-outs after a defined period. Imagine some personnel working with a solution and presuming they may leave it unattended because of external conditions. To make sure, data is not disclosed or seen by anybody else, the system will ask to relog due to session expired. Returning to our experience with Beyond Verbal, Inoxoft engineers developed a system that automatically deletes an installed application after necessary surveys were filled by patients.
There are tools like BitLocker for Windows or FileValut for Mac OS that help to encrypt hard drives containing PHI and software solutions like TrueVault and Aptible help safely store protected data. Security management process includes the usage of data loss prevention software and IP protection. Besides, make sure HTTPS, that encrypts data with SSL/TLS and transforms PHI into unreadable for hackers lines of information, is implemented whenever login, password forms are filled and sent. Cybersecurity Policies also concern data visibility control to track how patient data is used, how much time personnel spend accessing databases on clouds, networks and endpoints. The developed NIST Cybersecurity Framework will help you to prevent data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do occur.
Depending on how email is being used, the rules differ. When sending an email internally, using an organization’s internal network, it is not necessary to use encryption. However, when sending external emails, which pass through a third-party server, encryption is recommended. Encryption is the most effective way to secure PHI as it scrambles data, making it unreadable without a decryption key.
Data encryption is an effective way to minimize risks during loses, theft, or when ePHI is moving across open networks. Encrypted data is ciphertext, which is a plain text of encryption, unreadable for machines and people without a cipher, an algorithm that converts step-by-step information into code. Data encryption is also possible on networks not allowing hackers to intrude.
The common solution for restoring patient data are backups. Administrative safeguards demand healthcare organizations to assess possible risks and attacks against ePHI and regularly conduct simulation attacks to understand whether a contingency plan works well enough to restore lost data.
HIPAA requirements do not restrict software developers in using particular cloud services for storing ePHI. However, HIPAA Journal explains in what way covered entities and developers can rely on beneficial cloud services and whether all of the cloud providers are HIPAA compliant.
Microsoft cloud services are used widely, so the arising question is whether Azure is HIPAA compliant. Would not there be any violations on the side of covered entities using Azure for PHI? The truth is, HIPAA compliance is achieved under 2 conditions:
Azure supports HIPAA compliance regulations and provides secure hosting for data, necessary encryption, VPN connections, possibilities for great access controls, and setting permissions who can access the data and monitoring accesses and alterations with data.
In general, Azure does meet HIPAA compliance, however covered entities have to understand and ensure that all safeguards are covered and staff is appropriately trained on the use of the service. To note, Microsoft teams will not be charged and do not accept responsibility for violations caused by the inappropriate application of its services.