IS YOUR HEALTHCARE PRODUCT HIPAA COMPLIANT?
HIPAA, which stands for the Health Insurance Portability and Accountability Act, is an official legal document that protects sensitive patient health information. It sets the standards for protecting patients’ private health information by defining the procedures, policies, and guidelines for maintaining its privacy and security. It also defines the criminal penalties for breaking the law and violating patients’ private medical records.
Every organization and every healthcare product that keeps patients’ medical data electronically should be HIPAA compliant. In this way, each of them ensures the protection of patients’ (users’) health information.
HIPAA consists of the following regulations:
- HIPAA Security Rule – refers to the standards that have to be applied to protect
and secure the electronic patient health information. This rule consists of three parts:
- Technical safeguards – relates to the technology used to protect the electronic patient health information and to allow the access to the data.
- Physical safeguards – refers to the physical access to the electronic protected health information.
- Administrative safeguards – the procedures and policies which unify the Privacy Rule and the Security Rule.
- HIPAA Privacy Rule – refers to the protection, use and exposing of the electronic protected health information.
- HIPAA Breach Notification Rule – asks from the covered entities (organizations and individuals that operate in healthcare) to notify the Department of Health and Human Services and the patients when their electronic protected health information is violated.
- HIPAA Omnibus Rule – refers to the procedures and policies that cover business associates (organizations and individuals that receive, transmit, create and maintain protected health information).
- HIPAA Enforcement Rule – refers to all the procedures taken after there has been a violation of the electronic protected health information, including the penalties.
HIPAA compliance of healthcare products
Healthcare product developers are mostly concerned with determining whether their product needs to be HIPAA compliant or not. This is because there is a thin line between the healthcare products that need and those that don’t need to be HIPAA compliant. So, how to decide upon this question?
The general answer is that if your product deals with protected health information, it must be HIPAA compliant. If it deals with consumer health information, then it doesn’t have to be HIPAA compliant. Protected health information (PHI) is the stored health information that your product shares or will share with a covered entity (e.g. a doctor). On the other hand, consumer health information is the stored health information that your product doesn’t share nor will share with a covered entity.
Following these explanations, your product needs to be HIPAA compliant if:
- It gathers, keeps and shares patients’ medical data, such as treatment information, prescriptions, health insurance information, medical test results, or billing information to a covered entity;
- It allows users communicate with doctors and exchange information via calls, text messages or forums.
Your product probably doesn’t have to be HIPAA compliant if:
- It’s not used by medical staff and contractors of covered entities;
- It allows covered entities (e.g. doctors) to look up for medical reference information, information for illnesses or diseases;
- It allows users to track their dieting progress, record their weight, workout routines, etc.
How to become HIPAA compliant?
In order to be HIPAA compliant, you need to:
- Place safeguards to protect patient’s private health information;
- Limit the use and the sharing of the protected health information as much as possible, yet enough to work without problem;
- Sign a Business Associate Agreement with the service providers performing activities for you to ensure that they will properly protect, use and expose patient’s private health information;
- Authorize who can access the patients’ health information and provide continual trainings for your employees about how to protect patient health information.
In order to ensure the protection of patients’ private health information, apart from these four main things, you, as a developer, need to:
- Encrypt the data that will be stored;
- Encrypt the data that will be send (shared);
- Use unique user authentication to secure the access to the protected health information;
- Regularly update the app to keep the data protected and safe;
- Backup all data in case of damage, stealing or loss of the device;
- Create a mobile wipe option which will erase all protected health information if the device is lost or stolen, or the information is not needed anymore;
- Have a system that will audit the protected health information and will ensure that it hasn’t been accessed without permission;
- Make sure that push notification don’t contain protected health information;
- Host the data on the servers from the service providers you have signed the Business Associate Agreement with, or on secure in-house servers.
If your healthcare product is not HIPAA compliant and a breach of the electronic protected health information occurs, you will face civil and criminal penalties for violating HIPAA law. So, before you create a healthcare product, make sure you are aware of the HIPAA rules and that your product will comply with them.