Three HIPAA Safeguards You Need in Place When Building An App Today

If you’re building the next mhealth or wearable technology, you’ve no doubt grappled with the challenge of determining whether you need to be HIPAA compliant or not. HIPAA is the Health Insurance Portability and Accountability Act, the federal law that mandates how patient data is stored, handled and utilized. With changes to the legislation in September of 2013, anyone that is handling Protected Health Information–that special class of personally identifiable health-related data–must meet the compliance standards outlined by the law. 

 

If you’re not sure whether you need to be HIPAA compliant, or think you might and aren’t sure what that actually entails, keep reading. We’ve even put together a handy checklist at the end to help you keep track of each piece of the compliance puzzle. But remember, this isn’t comprehensive nor is it legal advice. If you’re considering an app or technology that might require HIPAA compliance, meet with a lawyer before you get started.

 

 

HIPAA is composed of four rules, two of which, the Privacy and Security Rules, contain the action items you need to know and act on to meet the compliance requirements of the law. The Breach Notification Rule is important to understand for its requirements around notification of privacy breaches. The fourth rule is the Enforcement Rule that details the enforcement activities and penalties in the law.

 

By meeting the three safeguards of the Security Rule and the requirements of the Privacy Rule you’ll be well on your way to being HIPAA compliant–an important milestone for any health tech start up. 

 

 

It used to be that only Covered Entities, such as doctor’s offices, hospitals and health insurers needed to worry about HIPAA compliance. But it turned out that it wasn’t Covered Entities who were most at risk for data security and privacy breaches, it was their Business Associates. Business Associates are the third party providers that handle protected health information (PHI) while facilitating health care services such as software providers, couriers, technology companies, hosting providers, and more. 

 

So in September of 2013 the law was changed to require Business Associates to be HIPAA compliant too. With the change in legislation, if you handle Protected Health Information, whether intentionally or inadvertently, you need to be HIPAA compliant. PHI is any personally identifiable health data. Things like patient files, an appointment reminder, an image scan, or an activity log with names, dates and other identifiers in it can all be PHI. 

 

It’s important to remember that HIPAA does not have a Safe Harbor provision for PHI the way that the DMCA does for copyrighted content. Sites like YouTube have Safe Harbor from DMCA violation penalties because of the way they handle content on the site, respond to takedown requests, and make other business provisions to address the issue. There are no similar protections in HIPAA. Handling PHI without the following safeguards in place is a violation, period.

 

 

The HIPAA Security Rule breaks down the protection of PHI into three main categories of safeguards that businesses must put in place in order to meet the compliance standards of the law.

 

They are: Administrative Safeguards, Technical Safeguards and Physical Safeguards. If you’re a startup founder you’re going to want to review and understand all three safeguards. If you’re a developer, your area of interest will primarily be in the technical and physical requirements. 

 

Within each safeguard area are a number of standards that must be met and a number of implementation steps to be put in place. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. (see the HHS answer) 

 

An addressable implementation specification is not optional. When in doubt, implement the addressable specifications – most of them are best practices anyway.

 

Let’s take a quick look at each safeguard and what it addresses. If you’re looking for more detailed information on implementation requirements, check out The Developer'€™s Guide to HIPAA Compliance on GitHub. 

 

 

The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be "technology neutral.”

 

There are five standards that must be met to satisfy this area of the law. They are: 

The five standards are met through the implementation of nine specific system elements. You can read them in the infographic here, but at a high-level they are: unique user identification, emergency access procedures, automatic logoff, encryption and decryption, audit controls, mechanisms to authenticate PHI, authentication, and transmission integrity controls and in-flight encryption. 

 

 

Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI. These help protect from unauthorized access to sensitive data. When thinking about these, be sure to look at your backup procedures and cloud storage providers. Have a developer syncing all their files to their personal Dropbox? You could be looking at a violation. There are four standards to be met in this area of the law. They are:

These four standards are met through ten implementation steps. Facility controls include: contingency operations, a facility security plan, access control and validation procedures, and maintenance records. Workstation use and security policies and procedures are required and device and media controls include: disposal, media re-use, accountability and backup and storage specifications.

 

 

The Administrative Safeguards are the policies and procedures that govern the conduct of your workforce, and the measures put in place to protect PHI. The administrative safeguards cannot be ignored. They’re crucial to compliance.

 

As part of them, you are required to:

There are nine standards in the Administrative Safeguards section of the Security Rule include 18 implementation specifications. While too many to list here, they include things such as risk analysis and management, a sanction policy, information system activity reviews, employee oversight and data access, login monitoring, emergency procedure policies, evaluation policies and more. See the checklist for a detailed run down. 

 

In addition to the Safeguards outline by the HIPAA Security Rule, in order to be HIPAA compliant you need to meet the Privacy Rule standards as well. The HIPAA Privacy Rule outlines six main requirements to protect individual’s medical records and other personal health information. They are:

HIPAA compliance requires detail and work, but it is doable. Becoming HIPAA compliant is an important step for companies looking to tackle meaningful challenges in the health tech space. You can do it yourself by following the implementation specifications of the law, or you can use services like TrueVault and Accountable who offer HIPAA-compliant architectures and policies as services. There are also open-source resources that you can leverage as well. 

Whether you do it yourself or partner with providers, HIPAA compliance is an important milestone for health tech companies. Protecting user data and privacy is paramount in healthcare, and taking the steps early on to ensure those baseline protections are in place will enable you to build the business you envision. 

 

The ultimate promise of health technology to improve patient outcomes only occurs when patient data can be shared with healthcare providers to improve care. Don’t let the regulatory complexity of HIPAA stop you from advancing patient care. Your idea can improve lives, so move quickly through the compliance steps so you can focus on doing just that. 

 

See the checklist in the infographic we’ve created below.