The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was initially created to make patients’ and medical professionals’ lives easier. However, the ever-increasing digitization of medical services called for a stronger focus on protected health information (PHI) security. Healthcare providers accounted for nearly 78% of data breaches in 2019, and the number of leaks increases year to year. With fines exceeding $1 million for every breach, creating HIPAA-compliant apps is not just good business practice but a necessity for startups and healthcare incumbents.
To help you make sense of the HIPAA intricacies, today, we’ll answer three critical questions.
Does My App Fall Under HIPAA?
First, let’s go over what constitutes PHI.
The notion comprises personal identifiers and health information. The full list of 18 HIPAA identifiers is quite extensive and includes everything from a patient’s name and phone number to IP address, voice, and fingerprints. Health information covers every piece of data on a patient’s electronic health record (EHR), treatment, hospital stay duration, lab test or imaging results, and more.
Must your app be HIPAA-compliant? It does, if:
- you collect any type of PHI from the users;
- you store PHI on the app’s servers;
- you transmit third-party PHI through the app.
Either one of these PHI-handling activities makes the app fall under the terms of HIPAA.
What Are HIPAA Requirements?
HIPAA comes with 18 standards divided into three categories that cover administrative, physical and technical concerns. Administrative requirements deal with workforce security, documentation, security breach procedures, staff training, and more. Physical standards describe workstation use and security requirements, facility access, and access controls. Technical standards cover data security, including access and audit controls, integrity, authentication, and transmission security.
While app developers have little influence on physical and administrative standards compliance, we must implement technical safeguards. They fall into two categories: required and addressable. Both are compulsory, but addressable standards are more flexible and provide you with different implementation options. However, the final choices for addressable issues should pass risk assessment and be well documented.
Where Should I Start with HIPAA Compliance?
This post won’t fit all HIPAA requirements, and the sheer number of them will make your head spin. So instead, let’s focus on a few key considerations:
- Data encryption. Transfer encryption is a must for PHI transmission, as well as at-rest encryption and other security protocols.
- Authentication. Two-factor authentication that combines a password with another means of identity check has become industry standard, and you can choose between biometric authentication and single-use passwords.
- Audit controls. Any app dealing with PHI must keep a detailed activity log to include any attempts to access, edit, or transfer data.
- Emergency access procedures. Getting access to PHI during a medical emergency can mean a difference between life and death, so you need to create unique user scenarios and provide medical professionals with one-time access to a patient’s data.
- Data disposal. Once the data becomes obsolete, you need to have a secure and reliable way to get rid of backups and archived PHI and decryption keys to prevent unauthorized access.
- Automatic logout. Though this standard falls under the addressable category, you need to come up with a way to ensure all app users are logged out of their accounts after a certain period of inactivity (usually under 5 minutes). This precaution may annoy the end-users, but it’s also a sure way to prevent unauthorized parties from using ongoing sessions to get PHI access.
The full list of HIPAA requirements hinges on the type of HealthTech app you’re working on, though we’ve tried to include every critical point to get you started on the right track. Reach out to Freshcode experts for a consultation on specific ways to make your app HIPAA-compliant.