HIPPA Compliance for App Developers

of one

Please send me all the technical requirements for building a medical application that is HIPPA compliant.

Hello! Thanks for your question about requirements for building a HIPAA-compliant application that allows doctors to share information with their patients. The short version is that HIPAA compliance is made of up of three main elements: technical, physical, and administrative safeguards designed to protect private information. Below you will find a deep dive of my findings.

The Department of Health and Human Services (HHS) is the originator of the Health Insurance Portability and Accountability Act (HIPAA), therefore the government website for HHS was the starting point for finding information about HIPAA compliance. Industry websites related to the field of healthcare were also consulted for supplemental information regarding HIPAA requirements, liability, and cost.

The Department of Health and Human Services (HHS) created the Security Standards for the Protection of Electronic Protected Health Information (ePHI), also known simply as "the Security Rule," in order to create a national set of security standards for protecting health information that is in electronic form. This rule is designed to be flexible and scalable in order to address the needs and abilities of several organizations and companies. Specifically, according to HHS the Security Rule applies to "health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA and to their business associates." All of these entities were required to be compliant with HIPAA by April 20, 2005, and at all times moving forward. The HIPAA security rule has three main components: technical, physical, and administrative safeguards. Some implementation specifications are categorized as “required,” whereas others are merely “addressable.” A required specification is something that cannot be left out. An addressable specification is something that should be implemented if it is reasonable and appropriate to do so, and documentation for the decision regarding this choice must be provided.

Technical safeguards are made up of four elements: access controls, audit controls, integrity controls, and transmission security. Between the four elements there are nine technical security features that should be encompassed in any technology that wishes to be HIPAA-compliant. These are: unique user identification, emergency access procedures, automatic logoff, encryption and decryption, audit controls, mechanism to authenticate ePHI, authentication, integrity controls, and encryption.

Physical safeguards are made up of two elements: facility and access controls and workstation and device security. Between the two elements there are 10 physical security features that should be encompassed by any technology that wishes to be HIPAA-compliant. These are: contingency operations, a facility security plan, access control and validation procedures, maintainance requires, workstation use, workstation security, disposal, media re-use, accountability, and data back-up and storage.

Administration safeguards are made up of five elements: security management process, security personnel, information access management, workforce training and management, and evaluation. Between the five elements there are 18 administrative security features that should be encompassed by any technology that wishes to be HIPAA-compliant. These are: risk analysis, risk compliance, sanction policy, information systems review activity, officers, employee oversights, multiple organizations, ePHI access, security reminders, protection against malware, login monitoring, password management, response and reporting, contingency plans, contingency plan updates and analysis, emergency mode, evaluations, and business associate agreements.

There are no specific requirements for the type of technology that needs to be utilized in order to be considered HIPAA-compliant. Instead, any company or organization may choose technology that works best for them and still encompasses the technical, physical, and administrative safeguards outlined previously.

Failure to follow the requirements set forth by HHS regarding HIPAA-compliance could lead to different consequences such as fines, lawsuits, customer/patient loss, security monitoring for customers/patients, lawyer fees, and technology repairs. One example of non-compliance is the Alaska Department of Health and Social Services, which had to pay $1.7 million to HHS in 2012 to settle HIPAA-violations committed by the organization. Any data breaches can costs companies up to $1.5 million in fines from HHS per year and up to $16,000 from the Federal Trade Commission. One way to ensure compliance is to hire a Privacy Officer or engage in a service that ensures HIPAA compliance in healthcare applications, like this one.

HIPAA's security rule is intended to be flexible and the amount spent on technology to ensure HIPAA-compliance varies based on organization type, size, culture, environment, and workforce. When HHS released HIPAA requirements, they estimated that the average cost per organization for compliant technology would be $1,040. Unfortunately, industry experts report that this figure is greatly underestimated. A more realistic estimate for a small company is $4,000-$12,000 and $50,000 or higher for a medium or large company.

To wrap it up, HIPAA-compliance encompasses many technical, physical, and administrative security measures. Thanks for using Wonder! Please let us know if we can help with anything else!