Roadmap to HIPAA Compliance for Healthcare IT

Amruta Deshpande
Amruta Deshpande, Software Architect
 More Articles  

Introduction

Healthcare industry has seen dramatic changes since the outbreak of COVID-19 pandemic. There is sudden rise in demand for IT services in the healthcare sector. More patients are being treated remotely than ever before. It is estimated that Healthcare IT market will grow at CAGR of 17.9% from 2023 to 2030.

Increased demand of the services brings in increased concerns of data protection. Talking specifically about United states, the U.S. Department of Health and Human Services ("HHS") has issued a Privacy Rule HIPAA, The Health Insurance Portability and Accountability Act in 1996 for the protection of patient’s personal and health data. The privacy rule sets standards for individuals' privacy rights to understand and control how their health information is used. It prevents patient's Protected Health Information from being disclosed without the patient’s consent or knowledge and avoid any misuse of the information.

On many occasions, we have observed huge gaps between the data protection requirements and the actual implementation of Healthcare IT services. Lack of HIPAA compliance can lead to breaches of patient confidentiality, damaging trust in healthcare organizations, and may result in legal actions and penalties. This article tries to address some common areas and presents ways to ensure compliance to the privacy rules. It will help you, whether you want to develop a HIPAA compliant software product from scratch or want to make an existing product HIPAA compliant.

Common terms

There are several terms that a developer needs to understand. Let’s look at the most important of them.

Protected Health Information (PHI) is patient’s data that the healthcare entities collect to identify an individual patient, diagnose, and determine care needs. PHI includes patients’ medical history, present medical conditions, and future health predictions. HIPAA specifies rules for the access and disclosure of PHI. When stored electronically this information is referred to as ePHI to which the same protection rules apply.

Not all the data that is collected by a healthcare app is ePHI. HIPAA defines 18 different parameters that qualify as PHI. While developing HIPAA compliant healthcare application, one needs to understand what exact data is categorized as PHI and should be protected as per HIPAA guidelines. Personally Identifiable Information (PII) is any data that can be sufficient to identify a person. Not all PII data is PHI.

There are several such terms that needs to be clearly understood while developing a healthcare application.

Considerations during development

  1. Authentication and authorization
      It is very essential to have a strong authentication and authorization mechanism built into the application.
    • Every operation needs to have mandatory authentication and access control
    • Use of multi-factor authentication is recommended
    • Enforcement of strong password, password rotation, automatic log-off policies is required
    • Ensure zero trust. Only authorized personnel should get to access the PHI
    • Use attribute-based access control for fine-tuned control of the system
    • Auditing of all user actions of accessing and editing PHI is necessary
      • HIPAA gives patients more control over their health information. This includes the ability to obtain copies of their records and make corrections if necessary.
  2. Data protection at rest and at transit
      As it is important to protect the stored data, it is equally important to protect data that is being transferred from one device to another or is in transit.
    • Separate out ePHI data and the general application data
    • Anonymize data
    • Ensure field level encryption as well as storage level encryption as appropriate
    • 256-bit AES encryption is an industry standard
    • HIPAA currently requires TLS 1.2 configured with servers and clients and requires support for TLS 1.3 by January 1, 2024
    • Data storage must be within the US borders
    • Emails should be encrypted end to end
    • Use encrypted communication channels only, such as HTTPS, WSS
    • Encode data during UI and backend transfer
    • Use GUIDs as record identifiers than sequential IDs
    • If application is generating any PDFs with sensitive data, they should be generated securely avoiding abilities of data alteration
    • Ensure downloading or printing of PHI content is restrictive
    • Destroy any PHI immediately when it is no longer needed
    • Train all employees or people involved who handle PHI
  3. Backup and recovery routines
      Data is important. As per HIPAA standards, data needs to be stored for a minimum of 6 years. Data should be available and be presentable in case of any breaches. Hence a strong backup and recovery system is required.
    • Set up backups
    • Ensure that any healthcare data backed up is an exact copy of the original information, and that it can be recovered to match its original state
    • Frequently test recovery system
    • Backups should be encrypted
    • Create Disaster Recovery and Contingency plans
  4. Use of third-party services
      Most of the times software makes use of third-party libraries and even services. E.g., for cloud hosting of an application, multiple cloud services are used. Some open-source libraries are used. The data going out to external systems should have the same level of protection as established by the system.
    • As much as possible, limit and control data going out of your system
    • Sign BAA (Business Associate Agreement) with the third parties involved that handle your data
  5. Auditing
      All user actions, specifically about handling the PHI data, need to be auditable. Following is a list of some considerations for setting audits.
    • Authentication and authorization auditing – logins, failed login attempts, password updates when changed and by whom should be auditable
    • Track who accesses PHI, when they access it, and what changes are made
    • Ensure all requests are logged and are accessible in Audit Report. Log the request, and the parameters included in the request
    • Maintain for at least 6 years and regularly monitor logs
  6. Procedures
      Document everything related to your software development process including risk analysis, policies and procedures, employee training, security assessments etc. The procedures should be well tested and kept updated. Annual review of policies and procedures should be done. Some documentation examples are:
    • Emergency access
    • Accounting of disclosures
    • Procedures for disposing PHI
    • Data backup plan
    • Data recovery plan
    • Data recovery test plan
    • Employee training
  7. Infrastructure security
      Following standard infrastructure security practices is very essential.
    • Establish anti-virus and spam protection
    • Define identity roles and permissions for infrastructure level access. Individuals should have only desired access and their own credentials to access the systems
    • Regular system maintenance and audit is needed
    • Only required ports should be open
    • IP whitelisting/blacklisting should be done as needed
    • Run EDR (Error detection report) and make any corrections as needed

SpringCT has developed several platforms and applications for healthcare industry. The company has excellent understanding and experience of the requirements to protect healthcare data and to ensure compliance with standards such as HIPAA and GDPR. Please contact SpringCT for any help in this area.

Author: Amruta Deshpande. Posted on October, 2023
 More Articles