How We Ensure HIPAA-Compliant Software Development
The Health Insurance Portability and Accountability Act is an official document that protects private health information. This is a document that should be well-known to every medical professional that runs their business online. At MobiDev, we have comprehensive experience of software development for healthcare—and we'd love to share some insights with you.
What are the minimal requirements that make your software HIPAA-compliant?
Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted.
ePHI can be backed up for recovery and restoration in case of need.
ePHI can be accessed only by authorized staff.
ePHI must not be subject to unsanctioned changes.
5. Storage Encryption
Stored ePHI should be encrypted.
When ePHI is no longer needed, it can be safely and permanently disposed of.
The final key to HIPAA-compliant software: ePHI should be hosted on servers of a company with whom a Business Associate Agreement is signed. Otherwise, it should be hosted on secure in-house servers.
Does generic software meet the HIPAA requirements?
1. Transport Encryption
No. Data is not encrypted before or during transmissions.
Maybe. Most web hosting providers offer backup and restoration features.
Maybe. It depends on the features of your medical software.
No. There is no guarantee that data has not been modified.
5. Storage Encryption
No. Stored data is not encrypted.
Maybe. It depends. Some hosting providers store backups indefinitely.
7. Business Associate Agreement
No. Most hosting providers are not familiar with HIPAA. They might not be willing to run any risks signing this agreement, which might contradict their own business processes.
As you can see, if your software wasn't created with privacy and security by design—or accordingly updated—it will fail at meeting HIPAA requirements.
How to ensure HIPAA compliance in website design and app development?
The means to making your medical software HIPAA-compliant—or building one from scratch—depend on your goals and the way sensitive data is stored and transmitted. However, we can outline general thoughts on how these requirements will be met:
HIPAA-compliant software keeps sensitive health data encrypted during transmissions, and the first step is to make it secure with SSL and HTTPS protocols. Your hosting provider should allow to configure SSL to use strong encryption methods. The former protects pages that collect or show health data as well as login pages. There should not be any alternate non-secure versions of these pages. What's more, if we have client-server data transmissions, i.e. data is transmitted in the body of POST requests, we can encrypt them on the sender's side and decrypt them on the receiver's side. This helps transmissions to be protected from man-in-the-middle attacks. Passwords can be transmitted and stored with the help of hash values. Together with secure complex passwords, this can prevent compromising. Therefore, the HIPAA requirement for security of user-website communication is met.
Most hosting providers provide backup and recovery services, so the data will not be lost in case of accident or emergency. If your, say, web product sends data elsewhere (e.g. via email), messages should be backed up, stored securely, and accessible to authorized staff only.
Authorization can be set up by our web team that builds or upgrades your medical software: audited access controls, secure logins that ensure that sensitive data can be accessed only by authorized personnel. If it can be accessed by the hosting provider, the issue of HIPAA Business Associate Agreement arises.
It is absolutely necessary to ensure that the information you collect, store, and transfer is safely kept from being damaged or altered in an undesired way, whether intentionally or unintentionally. The first necessary step here is to make sure that your system is able to immediately detect and report any unauthorized data tampering, even if just a single bit has changed. In website development, this is achieved by digitally signing and then verifying every piece of data stored or transmitted in the system, using such means as PGP, SSL, etc. Then the entire system has to be designed and built in a way that prevents any unauthorized access to the data.
The measures mentioned above, like regular backup, encryption, access authorization with proper user roles and privileges, as well as restriction of physical access to the infrastructure, come in great help to make your medical software HIPAA-compliant. One step further can be taken by designing the software UI in a way that prevents input of invalid data or intelligently helps to detect and correct at least the most typical mistakes.
Dealing with sensitive PHI, you have to make sure that it is available to authorized eyes only. This covers all the data stored in your software system, including databases, backups, and even logs. It may happen to be stored in locations that are out of your control, such as on a server shared with other customers of the same hosting provider. Should this server be compromised in some way, the data must remain encrypted and inaccessible.
For this purpose we apply an industry approved encryption using AES and RSA algorithms with strong keys (preferably 256 bits for AES, and at least 4096 bits for RSA). We also use such encrypted databases as SQLCipher to store data on the backend safely.
Backed up and archived data has to expire and be permanently disposed of. The same concerns all the decryption keys. What's more, it must be foreseen that every location where the data is transmitted might be making backups or copying it. Whenever you no longer use a server, the data has to be disposed of as well.
Business Associate Agreement
Business Associate Agreement must concern every vendor that deals with your sensitive health data and HIPAA compliance. Your web hosting provider will follow security requirements and provide an infrastructure that will be HIPAA-compliant. Our job is to follow the same rules during design and implementation.
You will make a lot of decisions and face careful considerations on what is necessary and appropriate to protect sensitive data of your users and meet these requirements. And if you have any further questions on how we can integrate healthcare applications with tech innovations—the Internet of Things and Augmented Reality included—feel free to ask!