Adapting Digital Technology for HIPAA Compliance
How to ensure your website, the cloud, and mobile apps are compliant with the HIPAA Privacy Law
Digital technology has made compliance with the Health Insurance Portability and Accountability Act, or HIPAA, a bit more involved for health care companies and providers.
Anyone who has visited a doctor’s office knows the drill – patients are asked to sign a form acknowledging they understand the HIPAA law and the privacy of their information under the law. Most patients likely skim the form and don’t fully understand the ins and outs of the law as it pertains to their health information, but for providers, it’s a different story. Compliance is critical, and even more so today as health information is shared and made accessible on digital platforms, introducing security threats that didn’t exist in 1996 when the law was first enacted.
A quick note on why you can trust us: We’ve spent the past decade building HIPAA-compliant mobile apps, doctor-facing dashboards and websites for both leading health organizations like Massachusetts General Hospital and Brigham & Women’s Hospital as well as rapidly scaling startups like Firefly Health.
A Primer on HIPAA Compliance
The HIPAA law is defined by two rules: the Privacy Rule and the Security Rule.
Privacy Rule: This rule defines what constitutes Protected Health Information, or PHI, that is obtained and held by different entities such as health plans, health insurers, and health care providers like hospitals, practices, or clinics. PHI refers to any personally identifiable information (PII), which is any information that can identify an individual, such as name, social security number, payment history, and care details. The Privacy Rule also regulates who can use this information and what they can do with it.
Security Rule: This rule specifically regulates electronic information and security for PHI, namely for three categories:
- administrative (control of access to information and training around data use)
- technical (use of the data itself; i.e. accessing it, sharing it, or collecting it)
- physical (management and use of different devices, such as computers or applications)
Broadly, compliance with the HIPAA law, which health entities were required to meet in 2003, gives patients more control over their health information by placing greater requirements on health care entities, including:
- Restrictions on how health records can be used or released
- Safeguards that must be met by health providers to ensure the protection of health information privacy
- Penalties for violations of patient privacy rights
- Parameters for the appropriate disclosure of certain data; i.e. a public health emergency
- Requirements for the release of information to patients, including how their health information is being used and what disclosures have been made, as well as the ability for the patient to control certain uses of their information or to request corrections
HIPAA Risk Assessment
Assessing and managing risk around the security of PHI is key to your business becoming HIPAA-compliant. The law has recognized patient data as a special class of data that requires special protections.
Every business is responsible for assessing and managing the risks related to that data to the standards of the law. HIPAA is a way for your business to protect both yourself and your customers.
Because there is so much variability in the type of companies that need to be HIPAA-compliant, the Us Department of Health & Human Services (HHS) provides guidelines on the objectives of a HIPAA risk assessment (rather than a specific checklist).
The HHS suggests that companies should aim to do the following when assessing HIPAA risk:
- Document where all PHI is stored, transmitted, or manipulated
- Proactively identify potential threats or vulnerabilities and their likelihood
- Audit the current security measures for protecting PHI
- Outline what may happen in the event of a breach of PHI
- Assess the level of risk for the potential impacts of different vulnerabilities
Finally, all the above should be documented and action items should be made to mitigate risk as much as possible. These reviews should be conducted at least every year, but there’s no specific guidance from the HHS and it can depend on the specifics of your company.
HIPAA for Apps, Cloud Storage, and Websites
After HIPAA compliance went into effect, the HIPAA-inspired Health Information for Technology and Economic Clinical Health Act of 2009 expanded on regulations for computerized health records.
In 2020, however, the words “electronic” and “computerized” don’t accurately describe the vast digital landscape now holding personal information of all kinds, including health records.
In a recent article, we detailed the way mHealth, or mobile health, apps are changing the face of the doctor-patient relationship by expanding the ways patients can communicate with their health care providers and stay in control of their health.
But it’s not just patient apps that fall under scrutiny here. Health care providers use in-house medical software applications to store patient information that can be susceptible to security threats and breaches.
In the case of these apps, cloud data storage, and even websites, HIPAA becomes critically important to uphold the integrity of PII and the spirit of the law when it was originally passed all those years ago.
Is My Health App HIPAA Compliant? Does it Need to be?
In the case of mHealth apps, it seems HIPAA compliance hasn’t quite caught up to the technology. Mobile apps developed for a patient to use to manage and monitor their own health information are not subject to HIPAA compliance requirements.
However, a line is drawn in the sand as soon as the information on that app is intended to be shared with a health provider or health professional – it then falls under that category of Protected Health Information (PHI). HIPAA compliance applies in such a case; similarly with in-house medical software applications that allow patient data to be visible and accessible to multiple providers.
HIPAAJournal notes that there are still more exceptions for certain apps – for example, a digital heart monitor that is collecting a patient’s cardiac activity over a period of time. While that app is technically for personal use, the data is being shared with an outside entity, and therefore falls under HIPAA compliance.
What Constitutes a HIPAA Compliant App?
Firefly Health and the Enhanced Recovery After Surgery (ERAS) apps, each developed by ADK Group, are good examples of an mHealth HIPAA compliant app.
HIPAA compliance starts by understanding the compliance requirements under HIPAA, as we detailed above, and determining some vital aspects of how your application is going to be used:
- Is your mHealth app going to track, collect, store, or transmit information that would be considered PHI under the HIPAA law?
- Will you be exchanging information or interacting with covered entities like a health care provider or doctor’s office
It’s important to use a technical developer like ADK Group that understands the administrative, technical, and physical safeguards required by the HIPAA Security Rule, and what’s required from a hosting solution in order for an application to meet those safeguards.
Understanding Requirements for a HIPAA Compliant Cloud
Everything is in the cloud today. It’s a great backup solution and allows more data to be stored and accessed faster and more easily.
But like digital applications, the cloud is susceptible to security risks, and protecting health information stored in the cloud is a key component of HIPAA compliance.
Cloud Service Providers, or CSPs, are subject to HIPAA compliance, even if your health organization is already compliant.
Under the HIPAA law, you must enter into a Business Associate Agreement, or BAA, with any third-party managing your organization’s data in the cloud. This agreement states that the third-party is HIPAA compliant, and any CSP you work with should be able to furnish a BAA. If they can’t or won’t, don’t work with them.
Any third-party CSP must also be able to conduct their own risk assessment and implement risk management protocols, which are critical for maintaining the privacy and integrity of the health data being collected, transmitted, or maintained.
Additionally, the Department of Health and Human Services recommends you enter into a Service Level Agreement with any third-party CSP to adequately spell out:
- System availability and reliability
- Backup and data recovery
- The manner in which data will be returned to the customer, whether per request or when that data is no longer relevant
- Security responsibility
- Use, retention, and disclosure limitations
There are further requirements for the HIPAA law’s Security Rule and Privacy Rule, as well as specifications for how to respond in the event of a breach or threat. As we learned from the catastrophic data breach in 2013 at Target stores, which occurred when attackers entered the network using stolen credentials from the company’s third-party HVAC vendor, it’s critical to ensure the security of any third-party vendor.
Which Storage Providers Can I Trust for a HIPAA Compliant Cloud?
While not every CSP is able to check all the HIPAA-compliance boxes, there are numerous, trusted CSPs that are HIPAA compliant. These include:
- Google Drive
- Microsoft ONEDrive
Depending on your level of data, there are cost considerations to keep in mind when choosing a CSP. Wasabi notes that traditional on-premises storage solutions and first-generation cloud storage solutions can be cost-prohibitive and too complex for large datasets.
Many large organizations that don’t have HIPAA compliance needs already take advantage of the cloud storage solutions we’ve named here, so the built-in compliance is a bonus for those that do. It is far easier to leverage one of these providers than one that is not HIPAA compliant as you have less red tape to cut through to ensure your own compliance.
What About My Website?
Websites are another digital source that was still in its infancy at the time HIPAA was developed and passed, so similarly to apps and cloud storage, compliance with the law has become more important for websites as well.
For health care entities that fall under the HIPAA law, you also need a HIPAA compliant website.
Here’s a brief recap. You must have a HIPAA compliant website if you:
- Collect information classified as PHI, which can occur through a chat functionality, patient portal, online patient forms, or contact forms that ask for PII.
- Store patient information on a server that could be used to identify that patient if compromised.
- Transmit patient health information through any kind of digital means; i.e. emails or web forms.
Like HIPAA compliance for cloud storage, the same rules apply for websites. Your servers store vital patient information, and if they are managed by a third-party, that vendor must be able to furnish a BAA.
If you do not work with a third-party vendor for the management of your organization’s server, you still need to take steps to ensure the HIPAA compliance of your website. These can include:
- Ensuring the security of the information contained on your website through an active SSL certificate. This certificate means the difference between users getting a security notification when accessing your site, and being able to visit your website with confidence.
- Using encryption to protect any information users provide through your website, such as on contact forms or with an online registration functionality.
- Having a backup and restoration plan for all information in the event of a security threat or breach.
- Establishing a process for managing patient information at their request as enabled by the HIPAA law.
- Reviewing how PHI is stored and transmitted to ensure it’s in compliance with the HIPAA law.
- Implementing encryption security for emails containing PHI.
- Using a HIPAA-compliant content management system (CMS).
That last bullet isn’t last because it’s less important. In fact, it requires some solid due diligence. There are many CMS options out there, but as with choosing a CSP, it’s important to select one that is HIPAA compliant. These include:
WordPress and Drupal are popular and boast easy-to-use platforms that cut your guesswork in half while providing the HIPAA compliance you need. Keep in mind that a lot of HIPAA compliance concerns fall on the hosting side of your website because of the storage and transfer of patient data, so it’s also important to work with a web host like ADK that is well-versed in HIPAA compliance, and to establish that BAA with your web host to protect the information stored in your physical (vs. virtual cloud) space.
Even if your app, cloud, or website hasn’t yet been subject to a security threat or breach, being caught in non-compliance with HIPAA requirements carries the same types of serious setbacks, including costly penalties, and damage to patient trust and loyalty.
ADK has provided HIPAA-compliant development and hosting services for apps and websites in the health space, and we are experts in the critical requirements needed to keep your business running smoothly and the information you collect, store, and transfer secure.
Contact us today to discuss what your digital business functions need to become HIPAA compliant.