Before we get into our HIPAA Compliance Checklist, we need to take the time to define HIPAA and explain where and why it came into existence.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in the US. Primarily, its intention was to solve issues around healthcare coverage and sensitive data when people lost jobs or changed jobs.
HIPAA aims to protect private healthcare data, prevent healthcare fraud and create standards within an industry that wasn’t standardized. Rules and regulations are mandatory and must be implemented by entities holding healthcare information (of US Citizens) no matter where the business is. Ultimately, compliance protects sensitive information for a patient.
HIPAA compliant organizations must protect the following information:
Diagnoses and treatment information
Dates related to the individual (birthdays, admission/discharge dates, etc.)
Contact information (telephone numbers, email addresses)
Social security numbers
Any identifying numbers (account numbers, beneficiaries, vehicle numbers etc)
In total, there are 18 points of identification that must be kept secure. HIPAA protects any individually identifiable information, relating to an individual and their health.
The HIPAA Privacy Rule is a critical section of HIPAA. It defines Protected Health Information (PHI), who can access the information, when it can be used, and when authorization isn’t necessary. This rule in particular is vital information for all involved with the development of digital health.
HIPAA is becoming more and more important as technology advances. More patient data is kept electronically than ever before. As a result, PHI is being transferred between more organizations and HIPAA compliance is impacting more businesses than ever before.
Technology has also left databases more open to phishing and other infiltration. Our data needs to be protected more than ever.
Here is our HIPAA compliance checklist for developers. We outline HIPAA compliance requirements with 7 steps to keeping your digital health development safe for patients.
To understand the relevance of HIPAA compliance to your software development, you need to understand what covered entities are.
A covered entity is any organization that is covered by HIPAA. This means any organization or database that has access, stores or transfers protected health information (PHI). In the past, a covered entity referred to only health care providers, doctors offices and hosptical groups. But the way the rules are written, with the rise of health information technology companies, the list of covered organizations has grown dramatically.
Covered entities are those that are bound to follow HIPAA. Typically, they fall into three groups:
Health care clearinghouses
A covered entity can be a healthcare organization, or a person. However, they can sometimes be categorized outside of these three groups. For example, a researcher might be a covered entity, depending on how they utilize PHI.
It is also important to consider whether an organization falls under the category of Business Associate. These may not be direct healthcare providers, but they might act on behalf of one. For example, a business building a web application for a healthcare company would be bound by HIPAA.
Consider whether your development, and organization, is a covered entity. Identify what category you fall into, and your resulting responsibilities. Ensure that you are following necessary regulations throughout your development, to protect both you and your associates.
You can't have a HIPAA compliance checklist without discussing the security rule. Here we will give a sumary of key elements of the security rule. The HIPAA Security Rule dictates how the Privacy Rule is applied. More specifically, the Security Rule discusses HIPAA in relation to electronic PHI, or ePHI.
According to HIPAA, protected health information (PHI) needs to be secure, no matter the format. As mentioned before, the world is increasingly relying on the newest technologies, and online data. Therefore the Security Rule is a necessary subset in HIPAA regulations.
The Security Rule applies to all the same data as the HIPAA Privacy Rule. This includes any identifying information, in relation to a patient.
All covered entities need to comply with the HIPAA Security Rule. This includes health plans, health information technology companies, health care clearinghouses, health care providers, researchers, business associates and more. However, those working in the digital healthcare sector should take particular care.
As a digital healthcare developer, the Security Rule is most relevant. To be compliant you need to think of everything from how you build limited data sets, anonymize data, who accesses the non-anonymised data and what security you have in place. Of course, all of these processes must be documented as well to protect your company.
In order to develop a compliant piece of software, you need to have compliance baked into how the development team works and how the business analyts think. For example, how can you work with autocomplete without exposing data? What about capturing and storing billing information? All of this and more needs to be addressed and documented to protect your company.
At it's heart, the HIPAA regulation provides a group of safeguards to protect electronic PHI. These are referred to as technical, physical and administrative safeguards.
To be HIPAA compliant, your development must be constructed to the Security Rule requirements. Consider forming a security rule checklist. Ensure that you and your teams understand the requirements of compliance, and apply its’ mandates to your builds.
In an ideal world, you’ll never need to implement breach notification rules. However, it is paramount that your organization has breach processes in place.
The Breach Notification Rule outlines the process for reporting breaches of data. It also dictates what constitutes a breach under the regulations.
Once a breach has been established, a HIPAA Data Breach Risk Assessment is necessary. It is important to familiarize yourself with this process. The risk assessments’ main purpose is to identify the extent of the breach, and how it can be mitigated.
The Breach Notification Rule mandates a specified timeline for the reporting of a breach. Victims, and relevant authorities, must be contacted within 60 days.
Under this rule, a notification must be sent out to the individuals involved. You might also need to contact the Office for Civil Rights and, potentially, the media. This will depend on the quantity of data that was breached, and the number of people affected.
Ensure that your business is prepared for breach notification. This will allow you to mitigate the results, where possible, and ensure that all timelines are met. It’s best to avoid breaches altogether, but HIPAA must be followed to avoid hefty fines.
Unfortunately, storing personal healthcare data comes with security risks. Sometimes, those risks become realised, but they can be avoided. It’s important to understand some of the most common HIPAA violations, in order to prevent them at your organization.
Here are examples of some of the most common types of violations:
Hacking or Phishing
Data access for unauthorized parties
Loss of devices containing PHI
Poor disposal of protected health information
One of the largest HIPAA Violations, which carried a fine of $5.5million, occurred when four laptops were stolen. Advocate healthcare received a hefty penalty in 2013, when consumer data was accessed by laptop theives.
However, many of the most common violations are due to human error. Therefore, a lot of potential violations can be avoided with the right safeguards in place.
Once you know the biggest risks for a healthcare organization, you need to implement appropriate safeguards. Data security measures can’t combat every breach, but they go a long way to prioritizing the protection of patient data.
The Security Rule dictates the following three safeguards for patient data security:
These safeguards highlight methods for protecting data at every level of an organization. It also provides some ideas on how to implement them.
It’s best practice to ensure that these safeguards are met, from the beginning of development. This allows your build to run smoothly and prevents any unauthorized access. Your development can progress with compliance in mind, ultimately producing a fully HIPAA compliant solution.
As you implement your safeguards, you might notice areas for risk improvement. Not all developments are the same. Therefore, you need to personalize your compliance where possible.
Conducting risk assessments can help you to spot potential issues within your development. You can conduct an in-depth analysis of your data handling and storage. This allows you to scrutinize your processes and put security rules in place.
First, identify your vulnerabilities. Consider what areas have the potential for a breach or violation, and why. Then, examine what practices could be put in place to mitigate the potential damage.
This should gradually build a list of best practices for all developments. Performing risk assessments regularly, as duties change, keeps your organization up to date and safe. It should also help to reduce the opportunities for human error.
Penalties and fines are the result of poor HIPAA compliance. Your primary priority should be the safety of patient data. Ultimately, the patients are the ones that lose when their data is mishandled or their privacy is breached.
However, it is also critical to avoid the large fines that come with a HIPAA violation. Violation penalties vary but could be as much as $50,000 for a civil case. The severity of the fine is dependent on the perceived severity of the violation. Typically, the following are assessed:
Level of malicious intent
Degree of negligence
Breach or no breach
Quantity of exposure
It’s important that all developers and managers within the organization understand the damage potential for a HIPAA violation. Trust is difficult to build, even more so after a violation of personal data.
Development teams in the healthcare industry rely on trust for further projects. Communicate the risks associated with not prioritizing HIPAA regulations. Each member of the organization needs to be on the same page, and work together to ensure strict compliance.
This HIPAA Compliance Checklist doesn’t touch on all of the points developers need to keep in mind but we hope it’s been helpful in giving you some high-level points.
At Vertrical, we understand HIPAA and its’ effects on development teams. We have experts in development and compliance, to ensure your next project is built with patient safety in mind.