What is HIPAA and why is it important?
HIPAA stands for the Health Insurance Portability and Accountability Act which was passed in 1996 and determines the ways that organizations in the healthcare industry can store, share, manage and record the protected health information (PHI) of patients. Any company that directly provides treatment, payment or operations in healthcare is considered a covered entity. However, if an organization, like most software companies, provides a third-party service, using PHI, to a covered entity then they would be considered a Business Associate. Under HIPAA, both covered entities and their business associates must be compliant with the law.
Complying with HIPAA is important for healthcare software companies because it will be a requirement for practices and other covered entities to choose to use and integrate that software.
Which medical software companies need to be HIPAA compliant?
Any organization that is considered a covered entity or business associate under HIPAA must be complaint. HIPAA defines business associates as being any person or entity that provides a service to a covered entity which requires the disclosure of PHI. By this definition, any software companies within the healthcare industry that store, share or simply just have access to patient’s identifiable health information, must be HIPAA compliant.
There are three main factors that determine whether or not your application will be regulated by HIPAA:
- What type of entity will use the software?
- What type of data the app will use/share/store?
- Is the software used encrypted or not?
Type of Entity
Within the law of HIPAA, there are two types of entities that are subject to comply with HIPAA:
As mentioned above, any entity that directly works with patients such as physicians, hospitals or insurance providers are considered covered entities (CEs) and need to comply with HIPAA.
When the Omnibus Rule was added to update HIPAA in 2013, it expanded the liability of the Privacy and Security Rules onto the vendors that work with covered entities as well. The second kind of entity that must be in compliance with HIPAA are the business associates (BAs) of the healthcare industry. A BA is any entity that stores, collects, processes or shares PHI on behalf of one of the covered entities. Even though the organization that develops the software may not directly see patients, if their application is used by one of these covered entities then they must comply with HIPAA as well.
Since both covered entities and their business associates are subject to the high cost of noncompliance to HIPAA, it is important that both organizations know all the steps required to be compliant. In order to properly protect PHI and comply fully with HIPAA, covered entities and their business associates must sign business associate agreements.
In addition to BAs and CEs, any subcontractors that work for the business associates must also be HIPAA compliant if they have access to any PHI from the BA who is working with a covered entity. For example, if an EMR (electronic medical record) software company is working with doctors offices then they obviously need to be HIPAA compliant. However, it is just as important that any subcontractors that the software company uses who access PHI, such as Amazon Web Services or other cloud hosting providers, are also HIPAA compliant. Just as between covered entities and their business associates, a business associate agreement should be completed between the BA and it’s subcontractor.
Type of Data
All of the rules within HIPAA, such as the Privacy and Security Rules, revolve around the type of data that must be guarded - Protected Health Information or PHI. This can easily be defined as any medical information that could identify the patient. The important difference between PHI and other medical data is that it is personally identifiable. Test results like a person’s blood sugar level or heart rate readings
PHI is created, used and shared in the process of providing healthcare services to patients. This information can appear in various forms of physical medical records, billing information or any electronic form or file. When PHI is found in an electronic file, we refer to it as ePHI but it must be encrypted and protected as carefully as physical information. Type of Software
Type of Software
The last factor that determines whether or not a medical application will be required to be HIPAA compliant is the type of technology that is used and what standards that software meets.
PHI containing software must have audit controls that are implemented. This means that the software records and tracks the activities in the system that relate to the PHI. Keeping track of this data will allow software companies to keep an eye on potential risks as well as identify important information in the event of a breach. In order to not be fined for missing this important part of medical software development, companies should conduct regular risk assessments and make sure that this aspect is functioning properly.
Next, software developers need to be sure that their application will include all the policies and procedures to prevent ePHI from being changed or destroyed. This expectation is looking to protect the integrity of the PHI that is being held. There should be checks for individuals that use the platform to change the ePHI in any way as well as automatic checks for the data’s integrity.
Finally, medical software must have certain access controls to protect who can see the information and to ensure that they are using it properly. A few of the controls that should be implemented are proof of identity for authentication, emergency access protocols and automatic timeout. Software companies must require a unique form of authentication before allowing entrance into the app where PHI is accessible. Whether that is through a fingerprint, key card or a complex password, there must be a higher level of security than a traditional app due to the type of information stored within.
Beyond the initial authentication, software developers should create a procedure through which to access the ePHI in the event of an emergency that will damage the typical point of access. The important and classified nature of this information means that there must be an emergency way to retrieve the PHI. Finally, this software should be one that includes an automatic timeout or logoff that occurs when someone has been logged in but has been inactive for a certain period of time. This automatic logoff will ensure that no unauthorized people are accessing the ePHI if the user of the computer steps away for a moment.
What Medical Software Companies Don’t Need to be HIPAA Compliant
Although it may seem like it, not every single software application that was created for the medical industry will be required to comply with HIPAA. The key question that sets apart those that fall under HIPAA and those that don’t is - does the software collect or hold protected health information that will be used by a covered entity in the course of treatment?
If the answer to that question is yes, keep reading in the next section for what steps to take to make sure that you are HIPAA compliant and protecting PHI in the proper ways.
However, if your application or software answered no to the question above then you will not be required to be compliant under HIPAA. There are certain companies that have created software that holds PHI from individuals but that is not able to be transmitted or shared with a covered entity. An example of this would be certain forms of health or wellness tracking bracelets and watches. Depending on the types of information that are being stored and the privacy with which that information is held, those applications may not need to be HIPAA compliant.
How to Become HIPAA-Compliant
Here is a short list of the minimum requirements that would make your software HIPAA compliant.
- HIPAA Rules: Comply with all aspects of the rules that make up HIPAA; the Privacy Rule, Security Rule, HITECH and the Omnibus Rule.
- Security Safeguards: The administrative, physical and technical safeguards laid out in the Security Rule should be followed.
- Transport Encryption: Any electronic health information (ePHI) must be encrypted before it is shared or disclosed.
- Backup: All ePHI should be backed up in case there is a need to recover or restore the information.
- Authorization: ePHI should be restricted so that it is only accessible to authorized personnel.
- Storage Encryption: In addition to how it is shared, ePHI should also be stored in an encrypted manner.
- Integrity: ePHI should not be available to unauthorized changes or improper destruction.
- Disposal: Once the ePHI is not needed anymore, it should be safely and permanently destroyed.
- Business Associate Agreement: As we have mentioned above, software companies that hold or share PHI must sign business associate agreements with the covered entities that they will be vendors for. Once completed, these agreements should be held on secure servers.
HIPAA regulations and laws can seem overwhelming, especially for business associates like software development companies that are less familiar with all of the rules and expectations. Luckily, Accountable exists to simplify all of the complicated aspects of being HIPAA compliant. If you are developing a software for the healthcare industry, contact us to help you walk through the compliance process. Plus why wait? It’s free to get started!