If you are a startup or business focused on providing services in the healthcare industry, then you have heard about HIPAA compliance. There is an incredibly large amount of general information around this topic, and it is extremely difficult to single out a list of clear objectives. Accordingly, everything looks very complicated and unfathomable. Although, if the development company has been dealing with HIPAA for a long time and has gone through the certification process of its developed healthcare software, everything starts making a bit more sense. At the same time, this experience is beneficial because you can transfer it to clients, protecting them from excessive spending without overly complicated procedures or expensive third-party services.
So, your software must meet HIPAA guidelines if you need to develop software to collect and store healthcare consumer data.
At the same time, we want to emphasize that you are not obliged to be HIPAA certified. Compliant – yes. Therefore, one must realize that certification and compliance are different things. For example, certification is an often expensive procedure that is required if your software has to access the patient data from EHR or transfer it there. In other cases, compliance would suffice since you, as the software owner, must be protected in cases where non-compliance may cause legal and financial ramifications.
Below is the list of Protected Health Information and Personal Information. By acquiring and storing this information, you are obliged to secure and protect it, according to HIPAA requirements.
Protected Health Information (PHI)
- Patient names
- Account numbers
- Geographical elements (street address, city, county, or zip code)
- Vehicle identifiers
- Certificate / license numbers
- Dates related to the health or identity of individuals (incl. birthdates, date of admission / discharge / death or exact age of a patient older than 89)
- Device attributes or serial numbers
- Digital identifiers (website URLs)
- Telephone numbers
- IP addresses
- Fax numbers
- Biometric elements (finger, retinal, and voiceprints)
- Email addresses
- Full face photographic images
- Social security numbers
- Other identifying numbers or codes
- Medical record numbers
- Health insurance beneficiary numbers
Personal Information (PI)
- Name and surname
- Home address
- Email address
- Identification card number
- Location data
- Internet Protocol (IP) address
- Cookie ID
- The advertising identifier of your phone
- Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
It is also important to understand that HIPAA includes three requirement segments:
- Technical Safeguards
- Administrative Safeguards
- Physical Safeguards
And only Technical Safeguards are directly connected to the software development. Other segments are related to organizing the activity of medical institutions and all of their operational procedures during which the actors interact with PHI and PI.
A startup that aims to create a platform for Service providers to interact with the end users (Healthcare Consumers), needs to implement the software code according to Technical Safeguards. At the same time, it is important to note that there are two more conditions:
- If the development company works exclusively with the healthcare software development, then it should not, in any case, have direct access to the platform data.
- If the development company services the software and, for any reason, needs to have technical capability to access the platform’s data, then the development company has to be HIPAA Compliant in regards to Administrative and Physical Safeguards. This is important!
Now let’s dive into a bit more details about Technical Safeguards of Health Insurance Portability and Accountability Act (HIPAA):
Before starting software development, the development company must create a strict checklist. It will help the team monitor the work completeness and conduct a pre-release audit. Here is a basic list of those requirements and standards that the development company must strictly take into account in this checklist:
- Access control
- Unique User Identification
- Emergency Access Procedure
- Automatic Logoff
- Data Encryption and Decryption
- Audit Controls
- System Integrity Controls
- Mechanism to Authenticate Electronic PHI
- Person or Entity Authentication
- Data Transmission Security
- Anti-tampering mechanism
- Logs
- And more
At the same time, each of these points should contain a specific list of what your functionality covers. For example,
Access control:
1.1.1. All emails sent from the system contain a confidentiality / privacy policy / terms and conditions / privacy statement.
1.1.2. All emails sent by the system must contain notes in order to detect early that the reader of the email is not the intended recipient.
Note example:
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed.
If the reader of this e mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
1.1.3. The system restricts the use of file transfer via imbedded messenger to prevent any transmission of ePHI.
1.1.4. The system uses a registered user’s email account for transmitting any of their ePHI to them. At the same time, the system restricts duplicate email accounts for many users to prevent any transmission of ePHI to not intended recipients.
Or this,
Unique User Identification:
1.2.1. The system uses an email account as a unique name for identifying and tracking user identity.
1.2.2. Each user uses a unique email and password for accessing the system.
1.2.3. Guests get access to the system through a link sent by the system to a unique user email.
1.2.4. Guest accounts are granted access to only their own ePHI.
1.2.5. The system strictly prohibited sharing passwords for user accounts.
1.2.6. The system requires the use of letters, numbers and/or symbols to ensure effective protection for Passwords.
1.2.7. The system provides the ability to reset a password.
And in this way, absolutely every functional unit of your software is developed. It is also worth noting that similar checklists are developed for server infrastructure. Here’s an example of Data Center Security and Facility checklist:
ACCESS RIGHTS
- Restricted Access to DC Facility
- Biometric Access Required
- Signs Posted for Restricted Access
- Unique Access ID for Each Employee
- Process For Granting / Revoking Access
- Escort Required for Visitors / Vendors
- Reconciliation of Staff with Access
ACCESS TRACKING
- Live Monitoring of Accesses
- Digital Log of Door Accesses
- Written Visitor Log
- Camera Placement at All Door Access (Points, Aisles / Cages)
DATA PROTECTION
- Shredder Present
- Server / Comm Cabinets Secured
- Network Cables and Sockets Secured
Of course, this is only a part of what we can describe in this article, but we will show you the full extent of our experience during our communication.
As of today, we have developed a number of HIPAA-compliant and certified platforms. We have also worked with rebuilding the software intended for certain services in the healthcare industry, correcting the mistakes of inexperienced teams that were unable to warn and inform the customer in advance.
Relying on everything mentioned above, we definitely want to show you how important it is that a software development company, like us, has experience in developing HIPAA-compliant and certified healthcare software. It can help you easily go through the path that is usually described as and probably is incredibly difficult.
Moreover, we, with the participation of our engineers, will help you go through technical certification procedures.
Let’s collaborate and we will share our experience with you!