Complying with HIPAA: What You Need to Know

The Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996 to help improve healthcare administration. It changed many things, such as protecting health insurance after job loss, and setting guidelines for group health plans. 

One of the main effects of the law was to protect patient health information. Under HIPAA, all patient health information has to be treated carefully, and can only be exchanged with third parties if given explicit consent from the patient.

Software developers building a healthcare related app or website absolutely need to keep HIPAA top of mind. Failure to comply with the law can result in stiff penalties. 

While complying with HIPAA is challenging, there is much that you can do to speed up the process. We like to use MedStack, a third-party compliance platform that takes care of some of the infrastructure and backend compliance. With MedStack, we have saved our clients many hours of time spent working on their projects.

Why HIPAA Matters for Software

HIPAA governs a wide range of patient information, collectively called ePHI (electronic Protected Health Information). This information falls into a number of categories, including:

• Name
• Date of Birth
• Address
• Social Security Number
• Health plan beneficiary numbers
• Contact information (email, phone number)
• Medical history
• Patient images

Any organization which handles such information is not only forbidden from sharing it without patient consent, but also required to protect the information using a set of strict security standards. These standards are collectively known as the HIPAA Security Rule.

These rules cover administrative, physical, and technical standards for protecting patient data:

• At the physical level, data must be stored in a way that cannot be easily accessed by malicious persons. Today, this means that app developers must rely on an accountable cloud service, like AWS or Azure, to keep their data centers under lock and key.
• At the administrative level, anyone handling the data directly must be properly trained to interact with it according to HIPAA protocols. This includes factors such as using proper passwords, documenting incidents, and conducting regular risk assessments.
• At the technical level, ePHI must be protected by reasonable cybersecurity measures. The Security Rule is intended to be flexible, so that cybersecurity policies can change over time as different security flaws are discovered, and for different organizations to adapt to their specific situations.

Failure to comply with these measures can result in massive penalties, including up to $250,000 in fines, restitution to victims of a data breach, and even jail time. Cases of malicious intent are penalized more heavily than cases of negligence, but it is better to be diligent about implementing HIPAA compliance effectively.

That said, no system is 100% secure, and it is possible for malicious actors to take your data no matter how well you follow HIPAA. In the event of a breach where you can prove that you were not negligent, there may be no penalties, but your organization is required to notify affected patients within 60 days.

How We Ensure HIPAA Compliance With MedStack

HIPAA infrastructure compliance is complex. An organization that handles it on its own would have to hire multiple employees dedicated just to compliance. This may not be feasible for small companies or startups, but fortunately there is another approach: relying on a reputable intermediary.

We use MedStack to help ensure that our clients’ websites and mobile applications are HIPAA compliant. MedStack sits between your cloud provider and your application stack, sort of like a guard for sensitive health data. It provides security and compliance, in addition to data encryption, right out of the box.

MedStack operates on all three levels governed by the HIPAA Security Rule:

• For physical safeguards, MedStack works with your public cloud provider to ensure data center security, server isolation, and disaster management.
• For administrative safeguards, MedStack’s Exos platform helps ensure safe and secure company practices like employee training, workstation and office security, password policies, and more. The platform comes with policy templates, so that you don’t have to make your compliance policies from scratch.
• For technical safeguards, MedStack comes integrated with over 90% of the technical security requirements for HIPAA.

Although the main reason we use MedStack is for HIPAA compliance, it also helps with other regulations such as SOC 2, PIPEDA, and GDPR. This would help if you want to expand into Canada or the EU.

MedStack is also relatively easy to implement. This means we can develop healthcare applications in half the typical development time, while providing exceptional security and stability.

Final Thoughts

The American healthcare system is famously complex, and HIPAA is a core part of that complexity. For better or for worse, healthcare app developers need to be diligent about complying with it.

Fortunately, there is a lot that can be done to save time on ensuring that software projects are HIPAA compliant. By relying on a third party intermediary, developers can take care of many of the core tasks associated with compliance. That said, there is still plenty to do with HIPAA on the application layer, and developers will need to be mindful of coding best practices.

In the past, we’ve helped clients like the University of Chicago Medicine and the American Cancer Society by building healthcare applications that handle sensitive data. By implementing MedStack into their systems, we were able to cover the vast majority of compliance responsibilities related to HIPAA.

Do you need a healthcare related mobile or web app? ActiveColor is a leader in digital app development that specializes in digital health. Talk to us today!