Digital technology has made compliance with the Health Insurance Portability and Accountability Act, or HIPAA, a bit more involved for health care companies and providers.
Anyone who has visited a doctor’s office knows the drill – patients are asked to sign a form acknowledging they understand the HIPAA law and the privacy of their information under the law. Most patients likely skim the form and don’t fully understand the ins and outs of the law as it pertains to their health information, but for providers, it’s a different story. Compliance is critical, and even more so today as health information is shared and made accessible on digital platforms, introducing security threats that didn’t exist in 1996 when the law was first enacted.
A quick note on why you can trust us: We’ve spent the past decade building HIPAA-compliant mobile apps, doctor-facing dashboards and websites for both leading health organizations like Massachusetts General Hospital and Brigham & Women’s Hospital as well as rapidly scaling startups like Firefly Health.
Privacy Rule: This rule defines what constitutes Protected Health Information, or PHI, that is obtained and held by different entities such as health plans, health insurers, and health care providers like hospitals, practices, or clinics. PHI refers to any personally identifiable information (PII), which is any information that can identify an individual, such as name, social security number, payment history, and care details. The Privacy Rule also regulates who can use this information and what they can do with it.
Security Rule: This rule specifically regulates electronic information and security for PHI, namely for three categories:
Broadly, compliance with the HIPAA law, which health entities were required to meet in 2003, gives patients more control over their health information by placing greater requirements on health care entities, including:
Assessing and managing risk around the security of PHI is key to your business becoming HIPAA-compliant. The law has recognized patient data as a special class of data that requires special protections.
Every business is responsible for assessing and managing the risks related to that data to the standards of the law. HIPAA is a way for your business to protect both yourself and your customers.
Because there is so much variability in the type of companies that need to be HIPAA-compliant, the Us Department of Health & Human Services (HHS) provides guidelines on the objectives of a HIPAA risk assessment (rather than a specific checklist).
The HHS suggests that companies should aim to do the following when assessing HIPAA risk:
Finally, all the above should be documented and action items should be made to mitigate risk as much as possible. These reviews should be conducted at least every year, but there’s no specific guidance from the HHS and it can depend on the specifics of your company.
After HIPAA compliance went into effect, the HIPAA-inspired Health Information for Technology and Economic Clinical Health Act of 2009 expanded on regulations for computerized health records.
In 2020, however, the words “electronic” and “computerized” don’t accurately describe the vast digital landscape now holding personal information of all kinds, including health records.
In a recent article, we detailed the way mHealth, or mobile health, apps are changing the face of the doctor-patient relationship by expanding the ways patients can communicate with their health care providers and stay in control of their health.
But it’s not just patient apps that fall under scrutiny here. Health care providers use in-house medical software applications to store patient information that can be susceptible to security threats and breaches.
In the case of these apps, cloud data storage, and even websites, HIPAA becomes critically important to uphold the integrity of PII and the spirit of the law when it was originally passed all those years ago.
In the case of mHealth apps, it seems HIPAA compliance hasn’t quite caught up to the technology. Mobile apps developed for a patient to use to manage and monitor their own health information are not subject to HIPAA compliance requirements.
However, a line is drawn in the sand as soon as the information on that app is intended to be shared with a health provider or health professional – it then falls under that category of Protected Health Information (PHI). HIPAA compliance applies in such a case; similarly with in-house medical software applications that allow patient data to be visible and accessible to multiple providers.
HIPAAJournal notes that there are still more exceptions for certain apps – for example, a digital heart monitor that is collecting a patient’s cardiac activity over a period of time. While that app is technically for personal use, the data is being shared with an outside entity, and therefore falls under HIPAA compliance.
HIPAA compliance starts by understanding the compliance requirements under HIPAA, as we detailed above, and determining some vital aspects of how your application is going to be used:
It’s important to use a technical developer like ADK Group that understands the administrative, technical, and physical safeguards required by the HIPAA Security Rule, and what’s required from a hosting solution in order for an application to meet those safeguards.
Everything is in the cloud today. It’s a great backup solution and allows more data to be stored and accessed faster and more easily.
But like digital applications, the cloud is susceptible to security risks, and protecting health information stored in the cloud is a key component of HIPAA compliance.
Cloud Service Providers, or CSPs, are subject to HIPAA compliance, even if your health organization is already compliant.
Under the HIPAA law, you must enter into a Business Associate Agreement, or BAA, with any third-party managing your organization’s data in the cloud. This agreement states that the third-party is HIPAA compliant, and any CSP you work with should be able to furnish a BAA. If they can’t or won’t, don’t work with them.
Any third-party CSP must also be able to conduct their own risk assessment and implement risk management protocols, which are critical for maintaining the privacy and integrity of the health data being collected, transmitted, or maintained.
Additionally, the Department of Health and Human Services recommends you enter into a Service Level Agreement with any third-party CSP to adequately spell out:
There are further requirements for the HIPAA law’s Security Rule and Privacy Rule, as well as specifications for how to respond in the event of a breach or threat. As we learned from the catastrophic data breach in 2013 at Target stores, which occurred when attackers entered the network using stolen credentials from the company’s third-party HVAC vendor, it’s critical to ensure the security of any third-party vendor.
While not every CSP is able to check all the HIPAA-compliance boxes, there are numerous, trusted CSPs that are HIPAA compliant. These include:
Depending on your level of data, there are cost considerations to keep in mind when choosing a CSP. Wasabi notes that traditional on-premises storage solutions and first-generation cloud storage solutions can be cost-prohibitive and too complex for large datasets.
Many large organizations that don’t have HIPAA compliance needs already take advantage of the cloud storage solutions we’ve named here, so the built-in compliance is a bonus for those that do. It is far easier to leverage one of these providers than one that is not HIPAA compliant as you have less red tape to cut through to ensure your own compliance.
Websites are another digital source that was still in its infancy at the time HIPAA was developed and passed, so similarly to apps and cloud storage, compliance with the law has become more important for websites as well.
For health care entities that fall under the HIPAA law, you also need a HIPAA compliant website.
Here’s a brief recap. You must have a HIPAA compliant website if you:
Like HIPAA compliance for cloud storage, the same rules apply for websites. Your servers store vital patient information, and if they are managed by a third-party, that vendor must be able to furnish a BAA.
If you do not work with a third-party vendor for the management of your organization’s server, you still need to take steps to ensure the HIPAA compliance of your website. These can include:
That last bullet isn’t last because it’s less important. In fact, it requires some solid due diligence. There are many CMS options out there, but as with choosing a CSP, it’s important to select one that is HIPAA compliant. These include:
Wordpress and Drupal are popular and boast easy-to-use platforms that cut your guesswork in half while providing the HIPAA compliance you need. Keep in mind that a lot of HIPAA compliance concerns fall on the hosting side of your website because of the storage and transfer of patient data, so it’s also important to work with a web host like ADK that is well-versed in HIPAA compliance, and to establish that BAA with your web host to protect the information stored in your physical (vs. virtual cloud) space.
Even if your app, cloud, or website hasn’t yet been subject to a security threat or breach, being caught in non-compliance with HIPAA requirements carries the same types of serious setbacks, including costly penalties, and damage to patient trust and loyalty.
ADK has provided HIPAA-compliant development and hosting services for apps and websites in the health space, and we are experts in the critical requirements needed to keep your business running smoothly and the information you collect, store, and transfer secure.
Contact us today to discuss what your digital business functions need to become HIPAA compliant.