HIPAA Compliance Requirements: Use The ChecklistWritten by Halyna on May 25th, 2017
HIPAA compliance explained when it comes to developing healthtech products, EHR/EMR software.
In 2015, over 111 million individuals were the victims of health record breaches, via hacking or other IT incidents. These incidents included improper disposal, loss, or theft of records, along with unauthorized access/disclosure.
And the vehicles for these breaches included everything from desktop computers, electronic transfers of records, emails, network servers, and portable remote devices. All of these breaches must be reported, according to HIPAA laws, and there can be fines involved, not to mention lawsuits, if HIPAA rules have not been in place.
The point here is clear – if you are incorporating new healthcare software, you should make it as secure as possible and compliant with the HIPAA rules.
HIPAA Compliance Requirements
HIPAA – stands for Health Insurance Portability and Accountability Act. And, in general, it requires four things of any organization that handles patient medical records in any way:
- You must have safeguards in place to protect patient health information.
- You must limit using and sharing of health information to the minimum that is required for your purpose.
- You must have agreements with any contracted service providers that handle your medical records – agreements that ensure they are in compliance with all HIPAA regulations.
- You must have policies and procedures that limit access and you must provide training to your staff regarding protection of both hard copy and electronic Protected Health Information (ePHI).
The impact that HIPAA has had on the EHR/EMR industry is significant, considering the security measures that must be in place to prevent breaches of data. And those security measures must be paramount for the following entities:
- Any organization that is using digital storage and is transferring patient information.
- Any organization that is utilizing digital monitoring devices by which patient information is being transmitted.
- Any organization that receives patient information.
If you are considering any healthtech development, you must ensure that the technology is in place that meets all HIPAA standards. The best way to accomplish this is to have a HIPAA compliance checklist that both you and a development team you select can use as your software/app is built.
HIPAA Checklist for Healthtech
It’s a good idea to look at what is HIPAA compliance in categories of “rules” that must be followed. And it is critical to note that none of these is optional. This is a matter of law.
The HIPAA Security Rules
These rules set the standards that have to be applied to protect electronic patient health information, when it sits in storage and when it is being transmitted. The key for any development initiative will be to have the technology in place that will structure and control access. This will involve technical, physical, and administrative security measures.
What technology will your software have in place to protect patient information and to safeguard access to that patient data? The primary rule is that all data should be encrypted according to the National Institute of Standards and Technology (NIST). Any developer must understand these standards – they will be reflected in the development architecture in the following ways:
- Control of access, through usernames and PIN codes.
- Special mechanism to authenticate electronic patient information. Specifically, establish e-controls e.g. two-factor authentication that would decide how access to the information would be granted. You can also use predictive risk analysis mechanisms to assign various risk levels (and permission rights) based on the agent’s past usage history.
- Methods to encrypt and then decrypt as information/data is transmitted.
- Audit controls of all activities: a record of who accessed data, when it was accessed, and what was the purpose of that access.
- An automatic logout: when data sits on a device that is not attended, there should be a time frame for automatic logout.
This is a critical part of a HIPAA audit checklist because it relates to how data might be stored (a data center, on servers located on the physical premises, or in the cloud) and access to that data by both internal workstations and remote devices. The implications for IT development relate to storage and encryption/security. But most of these “rules” put the onus on the on-site management. They include the following:
- People who have physical access to where data is stored must be monitored and there must be authentication and authorization for all who do.
- There must be control of access to workstations that have access to ePHI.
- If mobile devices have access to information/data, there must be procedures to remove data when they will no longer be used.
- Inventory of all hardware containing data must be maintained, and the process of data removal when the hardware is discarded must exist.
Administration of Security
Again, this falls out of the realm of software development, but be mindful that there are mandatory guidelines for any business that houses or receives health information. This means there must be named security and privacy officers who regularly perform risk assessments and address any that the Office of Civil Rights of the Dept. of Health and Human Services identified during a compliance audit.
Other administrative security tasks involve:
- developing risk management policies and procedures;
- training of employees in the identification of potential cyber-attacks (and maintaining records of that training);
- ensuring that there is no access by unauthorized individuals, either physically or digitally;
- developing emergency plans to protect data in emergency events and ensuring that backups of all data are in place for restoration.
In the case of companies that house or receive ePHI data, it is usual and recommended that at least the privacy officer should be an IT specialist who conducts the risk assessments on software and hardware, and regularly tests the security systems.
Role of Developers in Administrative Security
During any Healthtech development, it will be important that developers have an understanding of administrative security requirements so that elements and functions that are built assist with administrative security, especially user and third-party access, risk, and data storage options. Finding developers/teams that are experienced in Healthtech development and thus fully aware of HIPAA administrative security requirements will be critical.
HIPAA Privacy Rules
These rules relate to the use and disclosure of electronic patient health information and apply to any healthcare organization, as well as those who provide health insurance plans, and to any business associates of these enterprises.
Under these rules, patients also have the right to receive copies of their health records (or at least see them).
The implications for EHR and EMR are obvious, especially ensuring that individual patient identifiers are secure.
Again, it will be critical that any developers are fully current on all updates of HIPAA privacy rules. Romexsoft development team always uses the latest checklists.
HIPAA Breach Notification Rules
Small security breaches are reported directly to the Health and Human Services Office of civil rights. Larger breaches (impacting more than 500 patients) must also be reported to the media. In all cases, patients must be notified and informed of steps they can take to mitigate potential damage.
Reporting breaches must include all of the details of the breach and current level of damage, as well as measures taken to mitigate further damage.
If breaches have occurred because of “holes” in software, developers have some accountability, but the entity itself is not relieved of responsibility. All the more reason to use a development team that has significant Healthtech background.
HIPAA Enforcement Rules
These rules govern the procedures for investigations and assignment of penalties when a breach occurs of electronic patient health information. The big factor here is the issue of avoidability of a breach, and that has implications for EHR/EMR software development.
Ignorance of HIPAA requirements and “bugs” in software are considered avoidable and will carry greater penalties and fines.
Mitigating Risk During Development, Implementation and Monitoring Phases
Obviously, prevention is the key in any EHR/EMR system. And that prevention begins during the development phase, continues through testing and implementation, and is ongoing with regular monitoring. Here is an additional “checklist” of key factors.
The most common causes of data breaches are theft or loss of portable devices and transmitting electronic health information over insecure networks.
HIPAA and you should both consider these breaches avoidable by proper encryption because the data is unreadable and thus unable to be used by hackers and criminals.
Here is how encryption works:
- All data is converted to ciphertext – an unreadable format which can only be “unlocked” by a security key.
- The security key converts the data back to its readable format.
- If a device is lost or stolen; if data is sent over an unsecured network, anyone accessing that data by either means cannot read it – it is worthless to them.
Encryption should also be used on networks, to prevent hackers from access.
Secure Messaging Solutions
These will allow those with access authorization to send patient health information through encrypted texts to other authorized people who have a security key.
Again, there is the potential for security lapses, especially when these are sent beyond an organization’s internal firewall. Again, encryption is the solution. And, because emails that contain patient information are considered as a part of that patient’s medical records, they must be stored in an encrypted form (actually, for six years).
Preventing Malware and Phishing
One of the attractions of EHR/EMR for cyber-criminals is that the information brings a higher price on the market. It is not just a bank account or credit card number being stolen – it is patients’ entire identities. In recent years, there have been incidents of criminals getting a hold of passwords to patient databases and much of this can be avoided by a web content filter. In 2017, this hardly seems necessary to mention.
Building Healthtech software/apps is a complicated activity. Whether you want an app that streamlines basic records management, patient tracking, or more sophisticated service delivery solutions, HIPAA rules and regulations will be in play. Data storage and transmission just can’t leave any room for errors – just ask some of those companies that have experienced recent data breaches.
You need a professional development team that understands HIPAA and that has had years of experience in Healthtech development. We invite you to have a discussion with the Romexsoft team, who’s particularly experienced in healthcare and healthtech domain.